simoneavogadro/android-reverse-engineering-skill

This is a plugin for Claude Code (Anthropic's AI coding assistant) that automates Android app decompilation and API extraction. When you have an Android app file (an APK, XAPK, JAR, or AAR file) but no access to the original source code, this tool can disassemble the compiled app back into readable Java code and then search through that code to find all the web addresses and network calls the app makes. The practical use case is reverse engineering: a developer, security researcher, or tester who needs to understand how an app communicates with its servers can use this to find the API endpoints the app calls, what authentication tokens or headers it sends, and which code paths lead from a user action (like tapping a login button) all the way through to a network request. This kind of analysis is used in authorized security audits, malware investigation, and interoperability research. The plugin integrates with Claude Code through what the project calls a skill. Once installed, you can type a command like /decompile path/to/app.apk or just describe what you want in plain English ("extract API endpoints from this app") and Claude will run the decompilation scripts and then analyze the resulting code. The underlying decompilation is done by established open-source tools: jadx is the primary one, with optional support for Fernflower and Vineflower for cases where jadx produces less readable output. The repository includes shell scripts that can also be run directly without the Claude Code plugin, which means the individual steps (check dependencies, decompile, find API calls) work as standalone command-line tools too. Windows users can use the experimental PowerShell versions of those same scripts. The README includes an explicit disclaimer that the tool is intended only for lawful uses: authorized security testing, malware analysis, educational purposes, and interoperability work allowed under applicable law. The project is released under the Apache 2.0 license.