Apktool
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Apktool/JADX command-reference skill; it has expected local install and APK-modification commands, but no evidence of hidden data collection, credential use, or deceptive behavior.
This skill appears safe to install if you need Apktool/JADX guidance. Before using it, verify any manually downloaded tools, avoid running sudo install commands you do not understand, and only reverse-engineer or modify APKs you have permission to analyze.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the downloaded archive or release source were compromised, the installed jadx command could run untrusted code on the user’s machine.
The documented manual installer downloads an external archive and places a binary on the system PATH. This is aligned with installing JADX for APK analysis, but it lacks checksum/signature verification in the artifact.
"script": "cd /tmp && curl -L -o jadx.zip https://github.com/skylot/jadx/releases/download/v1.5.0/jadx-1.5.0.zip && unzip -o jadx.zip && mkdir -p /opt/jadx ... && ln -sf /opt/jadx/jadx /usr/local/bin/jadx"
Prefer package-manager installation where available, or verify release checksums/signatures before running the manual install script.
Running the examples without care could overwrite APK outputs or install a modified app onto a connected device.
The skill includes commands to rebuild, sign, and install modified APKs. These actions are expected for this tool, but they can alter local files and affect a connected Android device if run.
"apktool b myapp_mod -o myapp_modified.apk" ... "apksigner sign --ks mykey.jks myapp_modified.apk" ... "adb install myapp_modified.apk"
Use the commands only on APKs you are authorized to analyze, choose output paths carefully, and review any install/signing action before executing it.