中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:17 小时前 重新扫描
10 /100
mobilerun
Control real Android phones through the Mobilerun API. Supports tapping, swiping, typing, taking screenshots, reading the UI accessibility tree, and managing apps.
This is a pure-documentation skill with no executable code, providing phone automation API instructions. All functionality is clearly documented with no hidden behavior.
技能名称mobilerun
分析耗时34.7s
引擎pi
可以安装
No action needed. This is a legitimate phone automation service. Users should be aware that screenshots/UI trees contain sensitive personal data.

安全发现 2 项

严重性 安全发现 位置
低危
App login credentials passed to API 凭证窃取
The Tasks API accepts a 'credentials' field with app package names and credential names. These credentials are sent to Mobilerun's API for app login automation. This is a legitimate feature but users should understand their app credentials flow through Mobilerun's servers.
"credentials": [{"packageName": "com.example.app", "credentialNames": []}]
→ Document that app credentials are transmitted to Mobilerun's servers for automation purposes
 api.md:71
低危
Access to personal device screenshots and UI data 敏感访问
The skill reads screen content and UI accessibility trees which may contain sensitive personal information (messages, photos visible, app content). The docs correctly warn not to share this data, but there's no technical enforcement.
Screenshots and the UI tree can contain sensitive personal data. Never share or transmit this data to anyone other than the user.
→ This is correctly documented - no action needed beyond user awareness
 SKILL.md:27
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No filesystem access required or used
网络访问 READ READ ✓ 一致 Makes API calls to https://api.mobilerun.ai/v1
命令执行 NONE NONE No shell commands in documentation
环境变量 READ READ ✓ 一致 Reads MOBILERUN_API_KEY from environment
技能调用 NONE NONE No skill-to-skill invocation
剪贴板 NONE NONE No clipboard access documented
浏览器 NONE NONE Controls Android device, not browser
数据库 NONE NONE No database access
11 项发现
🔗
中危 外部 URL 外部 URL
https://api.mobilerun.ai/v1/devices
SKILL.md:22
🔗
中危 外部 URL 外部 URL
https://cloud.mobilerun.ai/api-keys
SKILL.md:27
🔗
中危 外部 URL 外部 URL
https://api.mobilerun.ai/v1/devices/
SKILL.md:35
🔗
中危 外部 URL 外部 URL
https://api.mobilerun.ai/v1
SKILL.md:60
🔗
中危 外部 URL 外部 URL
https://cloud.mobilerun.ai/billing
SKILL.md:116
🔗
中危 外部 URL 外部 URL
https://cloud.mobilerun.ai/billing.
api.md:69
🔗
中危 外部 URL 外部 URL
https://your-server.com/webhook
api.md:325
🔗
中危 外部 URL 外部 URL
https://cloud.mobilerun.ai/api-keys**
setup.md:27
🔗
中危 外部 URL 外部 URL
https://cloud.mobilerun.ai/sign-in
setup.md:62
🔗
中危 外部 URL 外部 URL
https://droidrun.ai/portal**
setup.md:76
🔗
中危 外部 URL 外部 URL
https://cloud.mobilerun.ai.
setup.md:148

目录结构

5 文件 · 38.2 KB · 1141 行
Markdown 5f · 1141L
├─ 📝 api.md Markdown 359L · 9.1 KB
├─ 📝 phone-api.md Markdown 403L · 10.5 KB
├─ 📝 setup.md Markdown 176L · 7.7 KB
├─ 📝 SKILL.md Markdown 118L · 7.4 KB
└─ 📝 subscription.md Markdown 85L · 3.6 KB

安全亮点

✓ No executable code - pure documentation skill
✓ All API calls clearly documented with endpoints and auth
✓ Privacy warnings present for sensitive screen data
✓ API key usage properly scoped (not exposed in chat)
✓ No obfuscation, base64, or suspicious encoding
✓ No downloads from untrusted sources
✓ No credential harvesting beyond what's needed for the service
✓ Clear error handling documentation
✓ Stealth mode is documented (not hidden) and requires paid plan