The Agent Skills Directory

[COMMAND_EXECUTION]: The skill involves the execution of numerous security-focused command-line utilities, including ADB, Frida, Objection, and Drozer, which are necessary for interacting with and analyzing Android devices and application packages.
[EXTERNAL_DOWNLOADS]: The skill provides instructions for installing well-known security tools via official package managers (pip, brew, npx) and references specialized auditing scripts from public GitHub repositories.
[DATA_EXFILTRATION]: The methodology includes automated and manual searches for sensitive information (e.g., hardcoded credentials, API keys, and database records) within the context of testing a target application's security posture. This data is processed locally for auditing purposes.
[PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection (Category 8) because the agent is tasked with processing untrusted content from third-party APK files, logs, and memory dumps. This is a low-severity risk inherent to the primary purpose of penetration testing.
Ingestion points: Untrusted data enters the agent's context through APK source code (extracted via jadx), string searches, and ADB shell outputs (SKILL.md, references/android-static-analysis.md).
Boundary markers: There are no explicit markers used to delimit data extracted from the application from the agent's instructional logic.
Capability inventory: The skill allows for extensive shell command execution and filesystem access to support the analysis process (SKILL.md).
Sanitization: No specific sanitization or filtering of external data is mentioned prior to processing findings.

android-app-pentesting