android-device-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples that embed plaintext credentials directly into CLI act prompts (e.g., "fill in ... the password field with 'pass123'"), which would require the agent to include secret values verbatim in generated commands—an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md explicitly lets the agent launch arbitrary web URIs (e.g., "npx -y @midscene/android@1 launch --uri https://www.ebay.com") and requires taking and reading screenshots to decide the next actions, meaning it ingests untrusted public web content (and remote images via URL) that can materially influence subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs users to run remote code via npx (e.g., "npx -y @midscene/android@1"), which fetches and executes the @midscene/android package from the npm registry at runtime (implicit URL like https://registry.npmjs.org/@midscene/android), so this is a runtime external dependency that executes remote code and is required for the skill.