Simone Avogadro
ec0f6700f8
- Add keywords, skills and commands paths to plugin.json - Add argument-hint to decompile command for better UX - Add description to SKILL.md frontmatter for skill auto-matching Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3.6 KiB
allowed-tools, description, user-invocable, argument-hint, argument
| allowed-tools | description | user-invocable | argument-hint | argument |
|---|---|---|---|---|
| Bash, Read, Glob, Grep, Write, Edit | Decompile an Android APK/XAPK/JAR/AAR and analyze its structure | true | <path to APK, XAPK, JAR, or AAR file> | path to APK, XAPK, JAR, or AAR file (optional) |
/decompile
Decompile an Android application and perform initial structure analysis.
Instructions
You are starting the Android reverse engineering workflow. Follow these steps:
Step 1: Get the target file
If the user provided a file path as an argument, use that. Otherwise, ask the user for the path to the APK, XAPK, JAR, or AAR file they want to decompile.
Step 2: Check and install dependencies
Run the dependency check:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/check-deps.sh
Parse the output looking for INSTALL_REQUIRED: and INSTALL_OPTIONAL: lines.
If required dependencies are missing, install them one by one:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/install-dep.sh java
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/install-dep.sh jadx
The install script auto-detects the OS and installs without sudo when possible (user-local install to ~/.local/). If sudo is needed, it will prompt — if the user declines or sudo is unavailable, the script prints exact manual instructions (exit code 2). Show those instructions to the user and stop.
For optional dependencies (INSTALL_OPTIONAL:vineflower, INSTALL_OPTIONAL:dex2jar, etc.), ask the user if they want to install them. Recommend vineflower and dex2jar for better results.
After any installations, re-run check-deps.sh to verify. Do not proceed until all required dependencies pass.
Step 3: Decompile
Run the decompile script on the target file. Choose the engine based on the input:
-
APK or XAPK → use jadx first (handles resources natively; XAPK is auto-extracted):
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/decompile.sh <file> -
JAR/AAR and Fernflower is available → prefer fernflower for better Java output:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/decompile.sh --engine fernflower <file> -
If jadx output has warnings or the user wants the best quality → run both and compare:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/decompile.sh --engine both <file>
For obfuscated apps (if the user mentions it or you detect single-letter package names), add --deobf:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/decompile.sh --deobf <file>
Step 4: Analyze structure
After decompilation completes:
- Read
AndroidManifest.xmlfrom the resources directory. For XAPK, check the base APK's output first. - If XAPK, review
xapk-manifest.jsonin the output directory to understand the split structure. - List the top-level package structure
- Identify the app's main Activity, Application class, and architecture pattern
- Report a summary to the user
Step 5: Offer next steps
Tell the user what they can do next:
- Trace call flows: "I can follow the execution flow from any Activity to its API calls"
- Extract APIs: "I can search for all HTTP endpoints and document them"
- Analyze specific classes: "Point me to a specific class or feature to analyze"
- Re-decompile with Fernflower: If jadx output has warnings, offer to re-run with
--engine bothfor comparison
Refer to the full skill documentation in ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/SKILL.md for the complete workflow.