The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill provides commands to install the android CLI by fetching scripts from Google's official domain (dl.google.com). These scripts are executed directly to set up the environment.
[REMOTE_CODE_EXECUTION]: The android update --url=PARAM command allows the CLI tool to download and install updates from a user-specified or agent-provided URL. This mechanism can be exploited to execute arbitrary code if the URL parameter is manipulated to point to a malicious source.
[COMMAND_EXECUTION]: The skill makes extensive use of adb shell input and other system commands to interact with connected Android devices. Improperly sanitized user or agent-provided input flowing into these commands could lead to local command injection vulnerabilities.
[PROMPT_INJECTION]: The Journeys feature described in references/journeys.md involves the agent parsing and executing natural language instructions embedded within XML files. This creates a surface for indirect prompt injection where a malicious journey definition could trick the agent into performing unauthorized operations.
Ingestion points: references/journeys.md (XML-specified journey tests)
Boundary markers: Uses XML tags, but lacks instructions to ignore adversarial content within these markers
Capability inventory: adb shell interactions, tool updates, SDK management, and file system writes
Sanitization: Includes a basic check to ensure actions specify UI interactions, but this is insufficient to prevent sophisticated injection attacks
[DATA_EXFILTRATION]: The skill includes commands to capture device screenshots and UI layout trees, which are then saved to local files. While intended for debugging, these files may contain sensitive application data or PII that is visible on the device screen during execution.

android-cli