open-autoglm-phone-agent
github.com/aradotso/trending-skills
Scanned Thu, 28 May 2026 17:12:22 GMT
Scan ID crawl-nhmr0cs2eq3lcwof9o6hgbdo · 2ms
C
SCORE 55 / 100
Verdict: Proceed with caution
8 medium findings.
This skill spawns subprocesses outside its declared capabilities plus 7 other issues listed below.
0 critical0 high8 medium4 rules passed
Why grade C?
score · 55 / 100The current grade reflects 8 medium findings (6+ MEDs → C).
0 CRIT0 HIGH8 MED0 LOW
To reach a higher grade
- BReach Btarget score 75
Resolve 3 of 8 MED (cap is 5).
- AReach Atarget score 95
Resolve 6 of 8 MED (cap is 2).
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
299 cmd.extend(["-s", device_id])
300 cmd.extend(["exec-out", "screencap", "-p"])
301 result = subprocess.run(cmd, capture_output=True)← spawns a subprocess outside declared capabilities
302 return result.stdout
303
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
308 cmd.extend(["-s", device_id])
309 cmd.extend(["shell", "input", "tap", str(x), str(y)])
310 subprocess.run(cmd)← spawns a subprocess outside declared capabilities
311
312def send_text_adb_keyboard(text: str, device_id: str = None):
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
317 # Enable ADB keyboard first
318 cmd_enable = cmd + ["shell", "ime", "set", "com.android.adbkeyboard/.AdbIME"]
319 subprocess.run(cmd_enable)← spawns a subprocess outside declared capabilities
320 # Send text
321 cmd_text = cmd + ["shell", "am", "broadcast", "-a", "ADB_INPUT_TEXT",
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
321 cmd_text = cmd + ["shell", "am", "broadcast", "-a", "ADB_INPUT_TEXT",
322 "--es", "msg", text]
323 subprocess.run(cmd_text)← spawns a subprocess outside declared capabilities
324
325def swipe(x1: int, y1: int, x2: int, y2: int, duration_ms: int = 300, device_id: str = None):
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
330 cmd.extend(["shell", "input", "swipe",
331 str(x1), str(y1), str(x2), str(y2), str(duration_ms)])
332 subprocess.run(cmd)← spawns a subprocess outside declared capabilities
333
334def press_back(device_id: str = None):
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
338 cmd.extend(["-s", device_id])
339 cmd.extend(["shell", "input", "keyevent", "KEYCODE_BACK"])
340 subprocess.run(cmd)← spawns a subprocess outside declared capabilities
341
342def launch_app(package_name: str, device_id: str = None):
medArbitrary subprocess execution detectedThe skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.▾
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
347 cmd.extend(["shell", "monkey", "-p", package_name, "-c",
348 "android.intent.category.LAUNCHER", "1"])
349 subprocess.run(cmd)← spawns a subprocess outside declared capabilities
350```
351
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestskillox.io/r/crawl-nhmr0cs2eq3lcwof9o6hgbdo