AIAny
AI Agent2026
Icon for item

Android Reverse Engineering & API Extraction — Claude Code skill

Automates decompiling APK/AAR/JAR and extracting HTTP APIs — Retrofit endpoints, OkHttp calls, hardcoded URLs, and auth patterns — so you can document and reproduce an app's network surface without source code. Integrates jadx/Vineflower/Fernflower and scripts for call-flow tracing.

Introduction

Most mobile apps expose a network surface (endpoints, auth flows, hardcoded URLs) that matters more for interoperability, security research, and incident response than their UI code. When source is unavailable, the tedious part isn't decompiling per se but locating and documenting the app's HTTP patterns and the call paths that reach them. This Claude Code skill automates that gap: it orchestrates decompilation engines and targeted analyses to produce a focused API map and call-flow traces you can act on.

What Sets It Apart
  • Targeted API extraction: hunts for Retrofit interfaces, OkHttp usages, hardcoded URLs, and common auth header/token patterns so you get a concise list of endpoints and auth flows rather than raw decompiled code — which saves manual triage time.
  • Multi-engine decompilation and comparison: supports jadx and Fernflower/Vineflower (single or side‑by‑side) to improve readability on obfuscated/complex bytecode and reduce missed references.
  • Call-flow tracing: links Activities/Fragments through ViewModels/repositories down to HTTP calls, producing actionable traces that show where in the app network calls originate.
  • Plugin + scripts workflow: usable as a Claude Code skill (slash commands and natural-language prompts) and as standalone scripts for automation or CI integration.
Who It's For & Trade-offs

Great fit if you are a security researcher, malware analyst, incident responder, interoperability engineer, or developer needing to document third-party app APIs without source access. It reduces manual search and gives structured outputs suitable for reporting or tests.

Look elsewhere if you need a turnkey commercial GUI with formal licensing support, or if you require binary-level instrumentation or dynamic hooking (this tool focuses on static analysis and extraction workflows, not runtime instrumentation). Also ensure you have legal authorization before analyzing third-party apps — the repository's README stresses lawful use only.

Where It Fits

Best used as part of a reverse-engineering or incident-response pipeline: run decompilation + extraction to produce an API inventory, then use dynamic testing or instrumentation to validate endpoints and auth behaviors.

Information

  • Websitegithub.com
  • AuthorsSimoneAvogadro
  • Published date2026/02/02

Categories

More Items

Turns fragile, implicit search progress into explicit, persistent, shared state for multi-agent information seeking — externalizes progress as Frontier Task, Evidence Graph, Coverage Map and Failure Memory, and uses pipeline-parallel scheduling plus a middleware harness to avoid repeated failed searches and improve utilization and throughput.

GitHub
AI Agent2026

Provides a lightweight Python harness that turns LLMs into working agents with tool-use, skills, persistent memory, permission controls and multi-agent coordination. Ships with a CLI/React TUI, 43+ built-in tools, a plugin/skill system and the ohmo personal-agent for chat gateways. Best for developers prototyping agent workflows and multi-agent experiments.

GitHub
AI Client2025

Turns Chromium into a local-first AI browser with an embedded assistant that can summarise pages, extract structured data, automate web tasks, and run scheduled agents. Built as an open-source Chromium fork with 53+ built-in browser tools, 40+ app integrations, and support for BYO AI keys or fully local models (Ollama / LM Studio).