Jadx
APK decompile + a systematic grep checklist for secrets, weak crypto, SQLi, and WebView holes.
Test report
- Verdict
- Works with setup
- Score
- Tested
- Jul 13, 2026
- Environment
- Claude Code 2.x (agent harness)
- Upstream re-checked
- Jul 18, 2026 · d0269f0
Planted 6 realistic vulns (hardcoded API key/password, MD5 hashing, string-concat SQL rawQuery, JS-enabled WebView with addJavascriptInterface, MODE_WORLD_READABLE prefs) in a fake decompiled tree: an ad hoc baseline grep caught only 2, the skill's documented Workflow-1 checklist caught all 6. Note: no files are referenced from the SKILL.md itself, but the jadx binary + a JRE are required and are not bundled -- neither was available in this sandbox, so decompilation itself (as opposed to the post-decompile grep workflow) went untested.
Scored on four weighted criteria — install, triggering, output vs. baseline, docs. How scoring works
- Installs cleanly 5/5
- Triggers reliably 5/5
- Output vs. baseline 9/10
- Docs & honesty 5/5
What Jadx does
Wraps the jadx DEX-to-Java decompiler with a documented CLI/GUI workflow and a security-analysis checklist covering hardcoded secrets, weak crypto, SQL injection, insecure storage, and WebView vulnerabilities. Triggers when the user wants to decompile an APK, read app logic as Java, or hunt for vulnerabilities and hardcoded credentials in an Android app.
How to install Jadx
git clone https://github.com/BrownFineSecurity/iothackbot
cd iothackbot
mkdir -p ~/.claude/skills
cp -r skills/jadx ~/.claude/skills/jadx
Skills live in ~/.claude/skills/ (global) or .claude/skills/
(per-project). Restart Claude Code after installing.
Commands — how to trigger Jadx
-
/jadxAPK decompile + a systematic grep checklist for secrets, weak crypto, SQLi, and WebView holes.
It also activates on plain-language prompts like these:
-
Decompile this APK and check for hardcoded secrets and weak crypto -
Pull the Java source from this Android app and look for SQL injection -
Scan this app's decompiled code for WebView and insecure storage holes
Frequently asked questions
- Is the Jadx skill free?
- Yes. The skill itself is free from BrownFineSecurity/iothackbot. SkillProof publishes the install command and an independent test verdict at no cost.
- Does Jadx work with Claude Code?
- We tested it with Claude Code 2.x (agent harness) on Jul 13, 2026. Verdict: Works with setup. Planted 6 realistic vulns (hardcoded API key/password, MD5 hashing, string-concat SQL rawQuery, JS-enabled WebView with addJavascriptInterface, MODE_WORLD_READABLE prefs) in a fake decompiled tree: an ad hoc baseline grep caught only 2, the skill's documented Workflow-1 checklist caught all 6. Note: no files are referenced from the SKILL.md itself, but the jadx binary + a JRE are required and are not bundled -- neither was available in this sandbox, so decompilation itself (as opposed to the post-decompile grep workflow) went untested.
- What is the Jadx SkillProof Score?
- 9.6/10 — installs cleanly 5/5, triggers reliably 5/5, output vs. baseline 9/10, docs & honesty 5/5.
- How do I install Jadx?
- Copy the install command from this page, run it in your terminal, and restart Claude Code. Skills live in ~/.claude/skills/ (global) or .claude/skills/ inside a project.
- Can I use Jadx with Cursor, Copilot, Gemini CLI, Codex or other AI tools?
- The SKILL.md format is native to Claude (Claude Code, Desktop, claude.ai). The instructions inside adapt to other assistants: Cursor rules, GitHub Copilot instructions, Windsurf rules, Custom GPTs, AGENTS.md for OpenAI Codex, and GEMINI.md for Google Gemini CLI — our conversion guides cover each, and the free converter on the tools page does the wrapping for you.