android-apk
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to download the JDK 17 from Oracle's official archive and Android command-line tools from Google's developer site. These are well-known, trusted sources.
- [COMMAND_EXECUTION]: Provides a bash script (
build.sh) that executes standard Java and Android build tools (javac,d8,aapt,apksigner) to compile and package an APK. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through the use of template variables (e.g., $PACKAGE, $ACTIVITY, $API_ENDPOINT) that are interpolated into shell scripts and Java source code. Ingestion points: Variable placeholders in SKILL.md. Boundary markers: None present. Capability inventory: Bash execution, Java compilation, and network requests via curl and Java's HttpURLConnection. Sanitization: No input validation or escaping is applied to the interpolated variables.
- [CREDENTIALS_UNSAFE]: The build script generates a development signing key using a hardcoded password ('android'), which is a common convention for debug builds but constitutes a hardcoded credential.
Audit Metadata