Add a top-level note flagging PS1 scripts as experimental and pointing
issues to this repo. Add an Acknowledgments section crediting the four
external contributors of the recent PR wave (#4, #8, #10, #12).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat: add Windows/PowerShell support
Add PowerShell equivalents of all bash scripts for Windows users:
- check-deps.ps1: Dependency verification with PATH refresh
- install-dep.ps1: Install via winget/scoop/choco or direct download
- decompile.ps1: APK/XAPK/JAR/AAR decompilation with split APK detection
- find-api-calls.ps1: API endpoint extraction (Retrofit, URLs, auth)
Update SKILL.md with Windows-specific instructions and notes for
each workflow phase.
PowerShell scripts support the same options as their bash counterparts
and automatically refresh PATH after installations.
* fix: check-deps.ps1 jadx fallback path version check, decompile.md lint fixes
- decode-apk.sh preserves XAPK structure (.xapk-origin/) with splits, manifest, and metadata for automatic reassembly
- rebuild-apk.sh detects .xapk-origin/, re-signs all split APKs, and assembles final .xapk output
- Add --auto-keystore flag: prioritizes ~/.android/debug.keystore → previous debug key → generated key
- Add neutralize-all compound target to install-dep.sh (java + apktool + apksigner + zip in one command)
- Add apktool version check (>= 2.9.0) with automatic upgrade from GitHub releases
- Add install_zip() and zip dependency check for XAPK rebuild
- All scripts now prepend ~/.local/bin to PATH for user-local tool installs
- Update SKILL.md Phase 3 with built-in catalog detection workflow and custom SDK discovery using Claude Code tools
- Update neutralize.md, CLAUDE.md, and README.md with XAPK and auto-keystore documentation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Six improvements from real-world testing on Water Sort Puzzle XAPK:
- Fix manifest patching creating duplicate android:enabled attributes when
the component already has android:enabled="true" (3-way check logic)
- Add decode-apk.sh with XAPK support (auto-extracts base APK, skips splits)
- Add apktool >= 2.9.0 minimum version check in check-neutralize-deps.sh
- Add --no-res fallback in rebuild-apk.sh when apktool build fails on resources
- Add 13 missing manifest components (Vungle new SDK, Meta AN provider,
AppLovin/BidMachine/IronSource init providers, Amazon APS, Pangle/Mintegral
activities, Smaato, AppsFlyer internal receiver)
- Add patch persistence via neutralize-manifest.json and --replay flag
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Introduces two new skills for privacy auditing of decompiled Android apps:
- tracker-analysis: 4-phase workflow detecting Firebase, Adjust, AppsFlyer,
Mixpanel, Amplitude, Segment, Braze, CleverTap, Flurry with init/events/
consent/data exfiltration analysis
- ad-analysis: 3-phase workflow detecting AdMob, Unity, IronSource, AppLovin,
Meta AN, Vungle, InMobi, Chartboost, Pangle, Mintegral with ad format
mapping, mediation analysis, and consent framework detection
Key addition: --entrypoints flag in find-ads.sh distinguishes SDKs actively
called by app code from passive mediation adapter dependencies, enabling
accurate "Ad Architecture" classification (single mediator / multiple direct /
hybrid).
Also improves install-dep.sh sudo detection for non-interactive environments
(Claude Code, CI, pipes) and adds CLAUDE.md project instructions.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Simone Avogadro
YIPEI WEI
Phil Nachreiner
Roshan Warrier