FlutterGuard

FlutterGuard is an agent-native APK/AAB security review skill for Flutter Android releases.

It is a pure agent skill for Claude Code, Codex, Cursor, OpenClaw, Gemini CLI, and other coding agents. Install or reference the single skill, then ask your agent to inspect a Flutter Android release artifact before shipping.

FlutterGuard is not a CLI. It is not an APK scanner app. It is not a static analyzer. It is one operational agent skill plus safety boundaries for APK/AAB security review.

Install

Use this repository directly with any agent platform that supports local skills, instruction packs, or project-level agent guidance. The skill entrypoint is the root SKILL.md.

Recommended install:

SKILL.md

Then ask:

Use FlutterGuard to review this Flutter APK before release.

Agent Platforms

Codex:

Start with AGENTS.md.
Reference the repository root or SKILL.md.

Claude Code:

Copy this repository, or its root SKILL.md, into your Claude Code skills location.

OpenClaw:

Add this repository as an instruction pack.

Other agents:

Point the agent at the repository root or SKILL.md.
Include AGENTS.md as repository-level behavior guidance if your platform supports it.

What It Checks

APK/AAB metadata: package name, version, SDK levels, size, ABIs, native libraries, and Flutter evidence.
Android manifest risk: permissions, exported components, cleartext traffic, debug flags, backup behavior, providers, services, receivers, and deep links.
Embedded secret risk: resources, assets, Flutter assets, decompiled wrapper code, and readable strings from libapp.so.
Network security: cleartext settings, network security config, certificate trust signals, backend hosts, staging endpoints, and pinning context.
WebView and platform bridge risk: WebView flags, JavaScript bridges, MethodChannel/EventChannel names, and native wrapper attack surface.
Signing and release signals: APK signature verification, certificate identity, debug certificate indicators, and release evidence available from the artifact.
Third-party service signals: Firebase, Google Maps, AWS, Sentry, Stripe, RevenueCat, OneSignal, Supabase, analytics SDKs, and similar markers.

Skill

SKILL.md

Use when an APK/AAB artifact exists or the user asks for Flutter Android artifact safety review.

Example Output

FlutterGuard APK Security Report

Artifact: build/app/outputs/flutter-apk/app-release.apk
Flutter Evidence: confirmed
Status: RISKY
Score: 72/100

Critical:
- None found from available evidence.

High Risk:
- android:allowBackup is enabled for an app that appears to handle account data.
  Evidence: AndroidManifest.xml application node.
  Recommended action: Review backup policy and disable or constrain backup after human approval.

Warnings:
- Staging API hostname appears in libapp.so strings.
  Evidence: lib/arm64-v8a/libapp.so strings, value redacted to host only.

Informational:
- Package: com.example.app
- Target SDK: 35
- ABIs: arm64-v8a, armeabi-v7a
- Detected services: Firebase, Sentry

Requires Human Approval:
- Backup behavior change
- Endpoint migration or rotation strategy

Repository Map

SKILL.md: the installable FlutterGuard skill.
AGENTS.md: project-level guidance for Codex-style agents working with this repo.
SECURITY.md: reporting and safety policy.

Safety Philosophy

FlutterGuard should not silently auto-fix sensitive production behavior.

Human approval is required for:

authentication changes
payment changes
permission removal or addition
dependency changes
signing configuration
publishing configuration
production environment configuration
API key migration
privacy or data collection behavior
deleting files from an app

Safe agent work includes artifact inspection, evidence collection, Markdown reports, checklist notes, test suggestions, and non-invasive recommendations.

Status

FlutterGuard is currently a single agentic skill. The repository intentionally contains no CLI engine, generated binaries, APK fixtures, build output, scan outputs, installers, or CI wrappers.