firebase-apk-scanner
Scan Android APKs for Firebase misconfigurations and security vulnerabilities
Developer Setup
Setup & Installation
npx skills add https://github.com/trailofbits/skills --skill firebase-apk-scannernpx skills add https://github.com/trailofbits/skills --skill firebase-apk-scannerOverview
What This Skill Does
Scans Android APKs for Firebase security misconfigurations by decompiling the app, extracting Firebase configuration, and actively testing endpoints for vulnerabilities. Checks Realtime Database, Firestore, Storage buckets, Cloud Functions, and authentication settings for unauthenticated access and weak rules. Reports findings with severity ratings and remediation guidance.
Application
When to use this Skill
- Configuring integration settings for custom agent workflows.
- Optimizing query execution and response latency in production.
- Developing clean, standard-compliant implementations for enterprise services.
- Troubleshooting connection timeouts and authentication handshakes.
- Monitoring API rate limits and execution pipelines programmatically.
Documentation
Show Skills.md file
Firebase APK Security Scanner
Scan Android APKs for Firebase security misconfigurations including open databases, exposed storage buckets, and authentication bypasses.
When to Use
Use this skill when you need to:
- Audit Android applications for Firebase misconfigurations
- Test Firebase endpoints extracted from APKs (Realtime Database, Firestore, Storage)
- Check authentication security (open signup, anonymous auth, email enumeration)
- Enumerate Cloud Functions and test for unauthenticated access
- Perform mobile app security assessments involving Firebase backends
When NOT to Use
- Scanning apps you do not have explicit authorization to test
- Testing production Firebase projects without written permission
- When you only need to extract Firebase config without testing (use manual grep/strings instead)
- For non-Android targets (iOS, web apps) - this skill is APK-specific
- When the target app does not use Firebase
What It Does
This skill automates Firebase security testing for Android applications. When invoked, Claude will:
Recommendations
Explore other random skills
browser-to-api
Turn a website's observable HTTP traffic into a best-effort OpenAPI 3.1 spec by analyzing a `browser-trace` capture. Use when the user wants to discover/extract API endpoints from a browser session, build an OpenAPI doc from network traffic, or document a third-party site's XHR/fetch surface for client integration.
browser-trace
Capture a full DevTools-protocol trace of any browser automation — CDP firehose, screenshots, and DOM dumps — then bisect the stream into per-page searchable buckets. Use when the user wants to debug a failed run, audit network/console/DOM activity, attach a trace to an in-progress session, or feed structured per-page summaries back into an agent loop so its next iteration learns from the last one.
browser
Automate web browser interactions using natural language via CLI commands. Use when the user asks to browse websites, navigate web pages, extract data from websites, take screenshots, fill forms, click buttons, or interact with web applications. Supports remote Browserbase sessions with Browserbase Identity, Verified browsers, automatic CAPTCHA solving, and residential proxies — ideal for protected websites and JavaScript-heavy pages.