Stats
Actions
Tags
From decx
Builds an Android exploit proof-of-concept from one DECX proof-graph verified chain. Queries the evidence graph, runs the sink re-verification protocol, then scaffolds and implements a PoC project with optional compile and ADB deployment.
How this skill is triggered — by the user, by Claude, or both
Slash command
/decx:decx-pocThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Turn one finalized finding from the evidence graph into one buildable `poc-<target>` project.
assets/poc-template-app/app/build.gradleassets/poc-template-app/app/src/main/AndroidManifest.xmlassets/poc-template-app/app/src/main/java/com/poc/targetapp/ExploitEntry.javaassets/poc-template-app/app/src/main/java/com/poc/targetapp/ExploitRegistry.javaassets/poc-template-app/app/src/main/java/com/poc/targetapp/PoCActivity.javaassets/poc-template-app/app/src/main/res/layout/activity_poc.xmlassets/poc-template-app/app/src/main/res/values/strings.xmlassets/poc-template-app/app/src/main/res/values/styles.xmlassets/poc-template-app/gradle.propertiesassets/poc-template-app/gradle/libs.versions.tomlassets/poc-template-app/gradle/wrapper/gradle-wrapper.jarassets/poc-template-app/gradle/wrapper/gradle-wrapper.propertiesassets/poc-template-app/gradlewassets/poc-template-app/gradlew.batassets/poc-template-app/settings.gradleassets/poc-template-server/public/index.htmlassets/poc-template-server/public/payload.htmlassets/poc-template-server/public/scenario.jsassets/poc-template-server/server.mjsreferences/index.mdTurn one finalized finding from the evidence graph into one buildable poc-<target> project.
Use only when the user asks to build or prepare a PoC from one DECX verified chain. Query the evidence graph with node scripts/decx-analysis-db.mjs. Do not use for vulnerability discovery, chain tracing, report generation, or generic exploit-writing advice. If no verified chain exists, route back to the relevant vulnhunt skill.
Default ceiling: build-ready unless the user explicitly asks for compile or deploy. Templates: assets/poc-template-app/ and assets/poc-template-server/.
node scripts/decx-analysis-db.mjs chains <dir> --root-prefix entrypoint --leaf-prefix impact
node scripts/decx-analysis-db.mjs path <dir> --from <entrypoint_fact> --to <sink_fact>
node scripts/decx-analysis-db.mjs ancestors <dir> --fact <sink_fact>
Determine target kind from fact prefixes: service-entrypoint or binder-reachability → framework; otherwise app.
Fields needed: entrypoint + sink fact IDs, trigger details (from fact body/evidence), victim package/class or framework service name, component type or Binder interface, guard outcome facts, impact details, DECX port/session.
Before writing any PoC code:
path --from <entrypoint> --to <sink> returns a connected chainIf any check fails: write a dead-end fact with the blocker reason, stop PoC construction. Do not write exploit code, create a project, compile, deploy, or state runtime-validated / poc-validated.
- [ ] Read one verified chain (chains/path/ancestors)
- [ ] Run Sink Re-Verification Protocol
- [ ] Select trigger and requirements
- [ ] Create or reuse PoC project (setup-poc.mjs)
- [ ] Load one matching reference (references/index.md)
- [ ] Implement exploit
- [ ] Register exploit in ExploitRegistry
- [ ] Optional compile (explicit request only)
- [ ] Optional deploy and runtime check (explicit request only)
- [ ] Close DECX session
# Proof graph queries
node scripts/decx-analysis-db.mjs chains <dir> --root-prefix entrypoint --leaf-prefix impact
node scripts/decx-analysis-db.mjs path <dir> --from <entrypoint_fact> --to <sink_fact>
node scripts/decx-analysis-db.mjs ancestors <dir> --fact <sink_fact>
node scripts/decx-analysis-db.mjs export <dir>
# DECX session
decx process open "<apk-path>" -P <port>
decx ard framework open "<jar>" --name "<target>" -P <port>
decx code method-source "<full-method-sig>" -P <port>
decx process close --port <port>
# PoC project
node skills/decx-poc/scripts/setup-poc.mjs <target-app>
node skills/decx-poc/scripts/check-env.mjs
cd poc-<target>/app && timeout 300 ./gradlew assembleDebug --no-daemon
| Rule | Rationale |
|---|---|
| One active chain in context | prevents contamination |
One poc-<target> per target, one exploit id per finding | reuse project, not exploits |
applicationId under com.poc.*, allowBackup="false" | PoC hygiene |
| Replace every placeholder with verified target values | stale values = no-op exploit |
Hidden-API exemption for framework Binder calls (HiddenApiBypass.addHiddenApiExemptions("")) | ServiceManager/Stub.asInterface need it; omitting → NoSuchMethodException at runtime |
Framework findings use direct Binder calls, NOT startActivity/bindService/sendBroadcast | wrong delivery = PoC never reaches target |
| Close DECX session in the same response that completes the PoC | resource cleanup |
| Log a real proof signal, not a theory statement | "returned rows" not "exploit executed" |
Two-stage exploits modeled as capture → trigger | explicit handle acquisition |
references/index.md — PoC shape routing matrixreferences/poc-workflow.md — output contract, compile/deployreferences/poc-base.md — shared registration + success signal contractreferences/poc-app-*.md, references/poc-framework-service.md — per-surface code templatesnpx claudepluginhub jygzyc/decx --plugin decxHunts APK app-layer vulnerabilities by analyzing exported components, deep links, WebView/Provider/Service/Receiver IPC paths, and attack surfaces using DECX. Validates exploit chains through evidence graphs.
Transforms vulnerability findings into working proof-of-concept exploits for security research, pentesting, and responsible disclosure. Produces runnable, benign PoCs that demonstrate root cause and impact.
Guides PoC exploit development for confirmed vulnerabilities in whitebox pentesting, with language recommendations, Python templates, and HTTP request patterns.