← Back to Directory

Android TikTok Automation

Scanned on 2/7/2026

⚠️45/100high

Android automation library with significant command injection vulnerabilities and unrestricted device control capabilities that could be exploited for malicious purposes.

Trust Score
45/100
Risk Level
high
Issues Found
7

Security Analysis

This Android automation library presents HIGH security risks primarily due to command injection vulnerabilities and unrestricted device control. The _run_adb method accepts arbitrary arguments that are passed directly to subprocess, allowing potential attackers to execute malicious ADB commands. The library provides complete control over connected Android devices including UI manipulation, file access, and shell command execution without any authorization checks. The use of predictable temporary file paths creates race conditions. XML parsing without XXE protection could allow malicious XML to compromise the system. While the code avoids shell=True and includes timeouts, these positives are overshadowed by the critical command injection risk and lack of access controls. This plugin should NOT be installed without significant security hardening including input validation, command whitelisting, user consent mechanisms, and secure file handling.

Security Findings

critical - code-execution

Command injection vulnerability in _run_adb method - user-controlled parameters are passed directly to subprocess without sanitization

Evidence:

cmd.extend(args) followed by subprocess.run(cmd, ...) - arbitrary ADB commands can be executed including shell commands
Recommendation: Implement strict input validation and whitelist allowed ADB commands. Use parameterized command construction instead of direct argument passing.
high - code-execution

Unrestricted shell command execution through ADB - methods like tap, swipe, and dump_ui execute arbitrary shell commands on connected Android devices

Evidence:

self._run_adb('shell', 'input', 'tap', str(x), str(y)) and self._run_adb('shell', 'uiautomator', 'dump', '/sdcard/ui_dump.xml')
Recommendation: Restrict shell commands to a predefined whitelist. Validate all coordinate inputs and file paths.
high - filesystem

Hardcoded temporary file path /tmp/android_ui_dump.xml creates race condition and potential information disclosure vulnerability

Evidence:

tmp_path = '/tmp/android_ui_dump.xml' - predictable path allows file hijacking attacks
Recommendation: Use tempfile.mkstemp() or tempfile.NamedTemporaryFile() to create secure temporary files with random names.
medium - filesystem

Writes to device storage without path validation - could overwrite critical files on Android device

Evidence:

self._run_adb('shell', 'uiautomator', 'dump', '/sdcard/ui_dump.xml') - fixed path on device storage
Recommendation: Validate and sanitize all file paths. Use application-specific directories with proper permissions.
medium - code-execution

XML parsing without security restrictions could be vulnerable to XML External Entity (XXE) attacks

Evidence:

tree = ET.parse(xml_path) - uses default XML parser without disabling external entities
Recommendation: Use defusedxml library or configure ET.parse to disable external entity processing: ET.XMLParser(resolve_entities=False)
medium - other

No authentication or authorization checks - any code can control connected Android devices without user consent

Evidence:

AndroidAutomation class provides full device control with no permission checks or user confirmation
Recommendation: Implement user consent mechanism before device operations. Add capability-based permissions system.
low - other

Timeout set to 30 seconds could allow denial of service through hung commands

Evidence:

subprocess.run(cmd, capture_output=capture_output, text=True, timeout=30)
Recommendation: Reduce timeout to 5-10 seconds for most operations. Make timeout configurable per operation type.

✅ Good Security Practices

  • Uses subprocess.run instead of shell=True, preventing some shell injection attacks
  • Includes timeout parameter to prevent indefinite hangs
  • Verbose logging option helps with debugging and audit trails
  • Type hints improve code clarity and reduce certain classes of bugs
  • Structured error handling with return code checking

Source Information

ClawHub Page:clawhub.com/skills/android-tiktok-automation
Source URL:/Users/mladjanantic/.openclaw/workspace/skills/android-automation
Code Size:55,688 characters
Semgrep Findings:0