Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Apk Decompiler
v1.0.0Android APK 逆向工程工具集,支持反编译、修改和重新打包。使用场景:(1) 反编译 APK 查看 Smali/Java 源码 (2) 分析应用架构和权限 (3) 修改 UI 文本、功能、逻辑 (4) 重新打包并签名 APK (5) 提取字符串、权限、组件等信息。触发词:反编译 APK、逆向 Androi...
⭐ 0· 116·0 current·0 all-time
by@tonakic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the provided scripts and references: decompile.py, analyze.py, rebuild.py and setup_tools.sh implement decompilation, analysis, modification and repackage/sign workflows described in SKILL.md. Required capabilities (Java, unzip, Python) are appropriate and no unrelated credentials or binaries are requested.
Instruction Scope
Runtime instructions are scoped to operating on local APK files and editing Smali/resources. The SKILL.md tells the agent to run setup_tools.sh and the Python scripts which read/write local files under the output/project directories. There are no instructions to read unrelated system files or to transmit analysis results to external endpoints. Note: setup_tools.sh and the scripts will create ~/.apk-tools (or TOOLS_DIR) and download tools — review these downloads before running.
Install Mechanism
No packaged install spec; setup_tools.sh downloads required tooling (baksmali/smali/apktool/dex2jar/uber-apk-signer) from Bitbucket/GitHub releases via curl and unzips dex2jar. These are well-known project hosts, but the script performs network downloads and writes executables/jars to disk (moderate risk if the sources or versions are not verified). This behavior is expected for the skill's purpose.
Credentials
The skill requests no environment variables or credentials by default. It optionally respects TOOLS_DIR for tool storage; this is reasonable. No secret exfiltration or unrelated tokens are requested.
Persistence & Privilege
always is false and the skill does not request forced persistent presence. It writes its own tools into ~/.apk-tools (or TOOLS_DIR), which is normal for a tooling script and limited in scope to its own directory.
Assessment
This skill appears to do what it says: decompile, inspect, modify and rebuild APKs. Before installing or running: (1) review setup_tools.sh to confirm the download URLs and versions (it uses curl to fetch jars/zips and will write to ~/.apk-tools or TOOLS_DIR); (2) run the scripts in an isolated environment (VM/container) if you will process untrusted APKs; (3) verify you have Java and unzip installed; (4) be aware of legal/ethical constraints — modifying and redistributing apps can violate licenses or law; (5) when rebuilding, the tool signs with debug keys (not suitable for publishing). If you want stronger assurance, replace download URLs with checksummed releases or preinstall the required tools from trusted package managers before using the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk971p42b0xsngvdqstcd1ebegs83ffha
License
MIT-0
Free to use, modify, and redistribute. No attribution required.