mobilerun Security Report — Low Risk | ClawSafe

10 /100

mobilerun

Control real Android phones through the Mobilerun API. Supports tapping, swiping, typing, taking screenshots, reading the UI accessibility tree, and managing apps.

This is a pure-documentation skill with no executable code, providing phone automation API instructions. All functionality is clearly documented with no hidden behavior.

Skill Namemobilerun

Duration34.7s

Enginepi

✓

Safe to install

No action needed. This is a legitimate phone automation service. Users should be aware that screenshots/UI trees contain sensitive personal data.

Findings 2 items

Severity	Finding	Location
Low	App login credentials passed to API Credential Theft The Tasks API accepts a 'credentials' field with app package names and credential names. These credentials are sent to Mobilerun's API for app login automation. This is a legitimate feature but users should understand their app credentials flow through Mobilerun's servers. `"credentials": [{"packageName": "com.example.app", "credentialNames": []}]` → Document that app credentials are transmitted to Mobilerun's servers for automation purposes	`api.md:71`
Low	Access to personal device screenshots and UI data Sensitive Access The skill reads screen content and UI accessibility trees which may contain sensitive personal information (messages, photos visible, app content). The docs correctly warn not to share this data, but there's no technical enforcement. `Screenshots and the UI tree can contain sensitive personal data. Never share or transmit this data to anyone other than the user.` → This is correctly documented - no action needed beyond user awareness	`SKILL.md:27`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No filesystem access required or used
Network	`READ`	`READ`	✓ Aligned	Makes API calls to https://api.mobilerun.ai/v1
Shell	`NONE`	`NONE`	—	No shell commands in documentation
Environment	`READ`	`READ`	✓ Aligned	Reads MOBILERUN_API_KEY from environment
Skill Invoke	`NONE`	`NONE`	—	No skill-to-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access documented
Browser	`NONE`	`NONE`	—	Controls Android device, not browser
Database	`NONE`	`NONE`	—	No database access

11 findings

🔗

Medium External URL 外部 URL

https://api.mobilerun.ai/v1/devices

SKILL.md:22

🔗

Medium External URL 外部 URL

https://cloud.mobilerun.ai/api-keys

SKILL.md:27

🔗

Medium External URL 外部 URL

https://api.mobilerun.ai/v1/devices/

SKILL.md:35

🔗

Medium External URL 外部 URL

https://api.mobilerun.ai/v1

SKILL.md:60

🔗

Medium External URL 外部 URL

https://cloud.mobilerun.ai/billing

SKILL.md:116

🔗

Medium External URL 外部 URL

https://cloud.mobilerun.ai/billing.

api.md:69

🔗

Medium External URL 外部 URL

https://your-server.com/webhook

api.md:325

🔗

Medium External URL 外部 URL

https://cloud.mobilerun.ai/api-keys**

setup.md:27

🔗

Medium External URL 外部 URL

https://cloud.mobilerun.ai/sign-in

setup.md:62

🔗

Medium External URL 外部 URL

https://droidrun.ai/portal**

setup.md:76

🔗

Medium External URL 外部 URL

https://cloud.mobilerun.ai.

setup.md:148

File Tree

5 files · 38.2 KB · 1141 lines

Markdown 5f · 1141L

├─ 📝 api.md Markdown 359L · 9.1 KB

├─ 📝 phone-api.md Markdown 403L · 10.5 KB

├─ 📝 setup.md Markdown 176L · 7.7 KB

├─ 📝 SKILL.md Markdown 118L · 7.4 KB

└─ 📝 subscription.md Markdown 85L · 3.6 KB

Security Positives

✓ No executable code - pure documentation skill

✓ All API calls clearly documented with endpoints and auth

✓ Privacy warnings present for sensitive screen data

✓ API key usage properly scoped (not exposed in chat)

✓ No obfuscation, base64, or suspicious encoding

✓ No downloads from untrusted sources

✓ No credential harvesting beyond what's needed for the service

✓ Clear error handling documentation

✓ Stealth mode is documented (not hidden) and requires paid plan

Scan Report

Findings 2 items

File Tree

Security Positives