ADB Android Control Skill

Shell command execution function detected

rm -rf /

The skill allows execution of arbitrary shell commands on the connected Android device, including full file system access (read, write, delete, recursive delete) and comprehensive app management (install, uninstall, clear data, force stop, disable). This grants an AI agent complete control over the device's operating system and installed applications.

`adb shell`, `adb install`, `adb uninstall com.example.app`, `adb shell rm -rf /sdcard/MyFolder`, `adb shell pm disable-user com.example.app`, `adb shell settings put system screen_brightness 128`

The skill provides multiple methods for exfiltrating sensitive data from the Android device, including pulling arbitrary files/directories, taking screenshots, recording the screen, extracting full app APKs, backing up entire device data, and capturing detailed system logs. This poses a significant privacy and data security risk.

`adb pull /sdcard/file.txt ./`, `adb exec-out screencap -p > screenshot.png`, `adb shell screenrecord /sdcard/video.mp4`, `adb backup -apk -shared -all -f backup.ab`, `adb logcat -d > logs.txt`, `adb pull "$APK_PATH" "$OUTPUT_DIR/app.apk"`

The skill includes a setup script (`setup.sh`) that installs auto-connect services and boot scripts (`~/.termux/boot/adb-autoconnect`) to ensure persistent ADB connectivity and monitoring on device startup. This allows the agent to maintain control and execute actions even after device reboots.

`cd ~/.claude/skills/adb-android-control/termux; ./setup.sh`, `On Termux startup (~/.termux/boot/adb-autoconnect): ... Start auto-connect service ... Start connection monitor`

The skill enables extensive device reconnaissance, including detailed system properties, battery/memory/CPU info, running processes, and network details. It also includes tools for port scanning, WiFi/Bluetooth scanning (SSID, BSSID, signal strength), USB device enumeration, and network manipulation like port forwarding/reverse forwarding.

`adb shell getprop`, `adb shell dumpsys wifi`, `adb shell ip addr show wlan0`, `python3 scripts/adb_port_scan.py`, `python3 scripts/radio_scan.py`, `termux-usb -l`, `adb forward tcp:8080 tcp:8080`

The skill allows the AI agent to simulate user input such as taps, swipes, text input, and key events. This enables the agent to interact with the device's UI, potentially bypassing lock screens (if ADB is authorized), typing sensitive information, or performing unauthorized actions.

`adb shell input tap 500 1000`, `adb shell input swipe 500 1500 500 500 300`, `adb shell input text "HelloWorld"`, `adb shell input keyevent KEYCODE_HOME`

The skill explicitly mentions `adb root` for operations requiring root access and `adb shell run-as` to execute commands as a specific application, potentially escalating privileges within that app's context. It also includes commands that can cause significant impact, such as `adb reboot` (denial of service) and `adb restore` (data injection/destruction).

`adb root # If device is rooted`, `adb shell run-as com.example.app`, `adb reboot`, `adb restore backup.ab`

The skill relies on and installs multiple external Python and shell scripts (`setup.sh`, `adb_port_scan.py`, `connection_monitor.py`, etc.) for its advanced features. The integrity of these scripts is critical, as a compromise in any of them could lead to arbitrary code execution on the host system where the skill is run, not just the Android device.

`cd ~/.claude/skills/adb-android-control/termux; ./setup.sh`, `python3 scripts/adb_port_scan.py`, `python3 scripts/connection_monitor.py`

A specific device serial number is hardcoded in the skill configuration. This identifies a real device and could be used for targeted attacks or tracking.

DEVICE_SERIAL="RFCY7036LSY"

A specific Android device ID is hardcoded. The Android ID is a persistent unique identifier that could be used for device fingerprinting and tracking.

DEVICE_ANDROID_ID="54116884d88102e3"

Internal network IP addresses and ADB ports are hardcoded in configuration examples, exposing network topology details of the target environment.

ZFOLD7=192.168.1.103:33467
PIXEL=192.168.1.104:5555
ADB_HOME_IP="192.168.1.103"

The skill installs persistent background services that auto-start on Termux boot, maintain continuous ADB connections, and run indefinitely. This constitutes a persistence mechanism that survives reboots and operates without ongoing user awareness.

Boot script (starts on Termux launch)
 Auto-connect service (reconnects every 30s)
On Termux startup (~/.termux/boot/adb-autoconnect):
1. Wake lock acquired
2. Load device config
3. Try connecting with saved port
4. If fails → scan for new port
5. Start auto-connect service
6. Start connection monitor

The skill includes automated port scanning capabilities that scan a wide port range (30000-50000) on target IPs. This is a classic reconnaissance technique that could be used to discover services beyond just ADB.

python3 scripts/adb_port_scan.py 192.168.1.103 30000 50000
The system automatically:
1. Detects connection failure
2. Pings IP to check if host reachable
3. Scans ports 30000-50000 for ADB

The skill includes scripts that continuously monitor WiFi networks (SSID, BSSID, RSSI, channels), Bluetooth devices, and network switches. This provides ongoing passive surveillance of wireless environment beyond what ADB device control requires.

python3 scripts/radio_scan.py
Output includes:
- SSID, BSSID, RSSI (dBm), frequency, channel
- Link speed (TX/RX Mbps)
- WiFi standard (802.11ac/ax)
- MIMO support, 6GHz capability
- Bluetooth state, connected devices

The skill provides commands for full device backup (-all flag) including shared storage and APKs, as well as an 'App Data Extraction' workflow that pulls APKs, package info, and permissions from devices. This could be used to exfiltrate sensitive data from Android devices.

# Backup app data
adb backup -apk -shared -all -f backup.ab

### Workflow 4: App Data Extraction
echo "Getting APK..."
APK_PATH=$(adb shell pm path "$PACKAGE" | cut -d: -f2 | tr -d '\r')
adb pull "$APK_PATH" "$OUTPUT_DIR/app.apk"
echo "Dumping package info..."
adb shell dumpsys package "$PACKAGE" > "$OUTPUT_DIR/package_info.txt"
echo "Dumping permissions..."

The skill explicitly provides and encourages arbitrary shell command execution on Android devices via 'adb shell'. Combined with root escalation commands, this provides a complete remote code execution interface.

# Run shell interactively
adb shell

# Run as specific user
adb shell run-as com.example.app

# Some operations require root
adb root   # If device is rooted
adb shell reboot -p

The skill instructs users to run 'adb root' to gain root-level access to devices, and includes commands that require root (shutdown, etc.). This constitutes deliberate privilege escalation guidance.

# Some operations require root
adb root   # If device is rooted

# Shutdown device (root required)
adb shell reboot -p

The skill includes USB device enumeration and identification capabilities via Termux USB API, which can be used to discover and fingerprint USB devices connected to the host system beyond just Android devices.

# List USB devices
termux-usb -l

# Identify device (grant permission when prompted)
termux-usb -r -e scripts/usb_identify.py /dev/bus/usb/001/002

The skill includes ADB port forwarding commands that can create tunnels between host and device networks, potentially enabling lateral movement into network segments accessible by the Android device.

# Port forwarding
adb forward tcp:8080 tcp:8080

# Reverse port forwarding
adb reverse tcp:8080 tcp:8080

The skill describes a setup script that installs itself into ~/.claude/skills/ directory and ~/.termux/boot/ for persistence. Installing scripts into the Claude skills directory could constitute skill/tool poisoning if the setup.sh script is attacker-controlled.

cd ~/.claude/skills/adb-android-control/termux
./setup.sh ZFOLD7 192.168.1.103:34591

This installs:
- Auto-connect service (reconnects every 30s)
- Boot script (starts on Termux launch)
- Connection monitor (detects port changes)
- Control script (`adb-control`)

The skill contains hardcoded references to a specific named device (ZFOLD7 - Samsung Galaxy Z Fold 7) with precise network coordinates and serial numbers, suggesting this skill may be pre-configured for targeted access to a specific individual's device rather than general-purpose use.

./setup.sh ZFOLD7 192.168.1.103:34591
ZFOLD7=192.168.1.103:33467
DEVICE_SERIAL="RFCY7036LSY"
DEVICE_ANDROID_ID="54116884d88102e3"