android-apk

Pass

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs users to download the JDK 17 from Oracle's official archive and Android command-line tools from Google's developer site. These are well-known, trusted sources.
  • [COMMAND_EXECUTION]: Provides a bash script (build.sh) that executes standard Java and Android build tools (javac, d8, aapt, apksigner) to compile and package an APK.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through the use of template variables (e.g., $PACKAGE, $ACTIVITY, $API_ENDPOINT) that are interpolated into shell scripts and Java source code. Ingestion points: Variable placeholders in SKILL.md. Boundary markers: None present. Capability inventory: Bash execution, Java compilation, and network requests via curl and Java's HttpURLConnection. Sanitization: No input validation or escaping is applied to the interpolated variables.
  • [CREDENTIALS_UNSAFE]: The build script generates a development signing key using a hardcoded password ('android'), which is a common convention for debug builds but constitutes a hardcoded credential.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 17, 2026, 11:10 PM
Security Audit — agent-trust-hub — android-apk