staff-mcp 1.0.8 → 1.0.10

package/README.md

@@ -24,7 +24,7 @@ Seamlessly spawn the AI assistant **inside any Docker container** while keeping
 npx -y staff-mcp@latest --docker node:20-alpine
 
 # Perform security analysis inside a custom reverse-engineering image
-npx -y staff-mcp@latest --docker reverse-engineer:v3 --profile reverse-engineer
+npx -y staff-mcp@latest --docker chineseastar/security:latest --profile android-reverse
 ```
 
 ### 3. Claude Desktop Configuration
@@ -66,8 +66,8 @@ Never pollute your host machine again. By simply appending `--docker <image>`, `
 
 Switch roles on the fly:
 ```bash
-npx -y staff-mcp@latest --profile developer
-npx -y staff-mcp@latest --profile reverse-engineer
+npx -y staff-mcp@latest --profile default
+npx -y staff-mcp@latest --profile android-reverse
 ```
 
 ### 3. Built-in `skill-manager`
@@ -88,7 +88,7 @@ It will securely download, configure, and reload the skill without you lifting a
 | :--- | :--- | :--- |
 | `-w, --working-dir` | Root directory for the sandbox | `process.cwd()` |
 | `-d, --allowed-dir` | Extra directories allowed for access | `[]` |
-| `-r, --profile` | The active profile for skills (e.g., developer) | `default` |
+| `-r, --profile` | The active profile for skills (e.g., android-reverse) | `default` |
 | `--docker` | Run inside a Docker container using this image | `undefined` |
 | `-D, --docker-args` | Extra args for `docker run` (e.g., `-e FOO=BAR`) | `[]` |
 | `-t, --transport` | Transport type (`stdio` or `http`) | `stdio` |
@@ -104,13 +104,13 @@ If you need the AI to interact with an Android device connected via USB while ru
 
 # 2. Start staff-mcp with the ADB_SERVER_SOCKET environment variable injected
 # On Mac/Windows:
-npx -y staff-mcp@latest --docker reverse-engineer:v1 -D "-e ADB_SERVER_SOCKET=tcp:host.docker.internal:5037"
+npx -y staff-mcp@latest --docker chineseastar/security:latest -D "-e ADB_SERVER_SOCKET=tcp:host.docker.internal:5037"
 
 # On Native Linux (If not using --network host, point to the docker bridge IP):
-npx -y staff-mcp@latest --docker reverse-engineer:v1 -D "-e ADB_SERVER_SOCKET=tcp:172.17.0.1:5037"
+npx -y staff-mcp@latest --docker chineseastar/security:latest -D "-e ADB_SERVER_SOCKET=tcp:172.17.0.1:5037"
 
 # Alternative for Native Linux (Share host network stack completely):
-npx -y staff-mcp@latest --docker reverse-engineer:v1 -D "--network host"
+npx -y staff-mcp@latest --docker chineseastar/security:latest -D "--network host"
 ```
 
 ---

package/README_zh.md

@@ -24,7 +24,7 @@ npx -y staff-mcp@latest --working-dir /path/to/your/project
 npx -y staff-mcp@latest --docker node:20-alpine
 
 # 在自带逆向工程工具链的镜像里执行安全分析
-npx -y staff-mcp@latest --docker reverse-engineer:v3 --profile reverse-engineer
+npx -y staff-mcp@latest --docker chineseastar/security:latest --profile android-reverse
 ```
 
 ### 3. Claude Desktop 配置
@@ -66,8 +66,8 @@ npx -y staff-mcp@latest --docker reverse-engineer:v3 --profile reverse-engineer
 
 在不同角色中自由切换：
 ```bash
-npx -y staff-mcp@latest --profile developer
-npx -y staff-mcp@latest --profile reverse-engineer
+npx -y staff-mcp@latest --profile default
+npx -y staff-mcp@latest --profile android-reverse
 ```
 
 ### 3. 聪明的“技能管家” (`skill-manager`)
@@ -88,7 +88,7 @@ npx -y staff-mcp@latest --profile reverse-engineer
 | :--- | :--- | :--- |
 | `-w, --working-dir` | 沙盒的根目录 (工作区) | `process.cwd()` |
 | `-d, --allowed-dir` | 额外允许 AI 访问的宿主机目录 | `[]` |
-| `-r, --profile` | 当前激活的技能档案/工种 (如 developer) | `default` |
+| `-r, --profile` | 当前激活的技能档案/工种 (如 android-reverse) | `default` |
 | `--docker` | 在指定的 Docker 镜像内运行 AI | `undefined` |
 | `-D, --docker-args` | 传递给 `docker run` 的自定义底层参数 | `[]` |
 | `-t, --transport` | 传输协议 (`stdio` 或 `http`) | `stdio` |
@@ -104,13 +104,13 @@ npx -y staff-mcp@latest --profile reverse-engineer
 
 # 2. 启动 staff-mcp 并注入 ADB_SERVER_SOCKET 环境变量
 # Mac/Win 环境下：
-npx -y staff-mcp@latest --docker reverse-engineer:v1 -D "-e ADB_SERVER_SOCKET=tcp:host.docker.internal:5037"
+npx -y staff-mcp@latest --docker chineseastar/security:latest -D "-e ADB_SERVER_SOCKET=tcp:host.docker.internal:5037"
 
 # 原生 Linux 环境下（若不使用 host 网络，可指向虚拟桥接 IP）：
-npx -y staff-mcp@latest --docker reverse-engineer:v1 -D "-e ADB_SERVER_SOCKET=tcp:172.17.0.1:5037"
+npx -y staff-mcp@latest --docker chineseastar/security:latest -D "-e ADB_SERVER_SOCKET=tcp:172.17.0.1:5037"
 
 # 原生 Linux 的极简方案（直接与物理机共享网络栈）：
-npx -y staff-mcp@latest --docker reverse-engineer:v1 -D "--network host"
+npx -y staff-mcp@latest --docker chineseastar/security:latest -D "--network host"
 ```
 
 ---

package/builtin-profiles/android-reverse/skills/adb-workflow/SKILL.md

@@ -0,0 +1,66 @@
+---
+name: adb-workflow
+description: Android Debug Bridge (ADB) operations for Android Reverse Engineering. Use this when you need to pull APKs from a phone, inspect installed packages, or push/pull files.
+---
+
+# ADB Workflow
+
+You are an expert in interacting with Android devices via `adb`. Your role is to acquire targets from real or emulated Android devices connected to your workspace.
+
+## 🛠 Prerequisites
+You have direct access to the `adb` binary through `execute_command`. Before running complex commands, check if a device is connected:
+```bash
+adb devices
+```
+If no device is connected, inform the user to plug in a device or start an emulator.
+
+## 📦 Pulling an Installed Application (APK)
+When the user asks you to analyze an installed application (e.g., `com.tencent.mm` or `WeChat`):
+
+### 1. Find the Package Name
+Use `adb shell pm list packages` to search for the exact package name:
+```bash
+adb shell pm list packages | grep -i "tencent"
+```
+
+### 2. Find the APK Path on the Device
+Once you have the package name (e.g., `com.example.app`), find its installation path:
+```bash
+adb shell pm path com.example.app
+```
+*Output will look like: `package:/data/app/~~xxxxx==/com.example.app-yyyy==/base.apk`*
+
+### 3. Pull the APK to the Workspace
+Pull the `base.apk` (and any split APKs if requested) to your local analysis directory:
+```bash
+adb pull /data/app/~~xxxxx==/com.example.app-yyyy==/base.apk /workspace/com.example.app.apk
+```
+
+## 🔍 Pulling App Data (Non-Root vs Root)
+Sometimes you need to analyze an application's private databases, SharedPreferences, or cached files.
+- **If the device is rooted (`su` access):**
+  ```bash
+  adb shell "su -c cp /data/data/com.example.app/databases/app.db /sdcard/"
+  adb pull /sdcard/app.db /workspace/
+  ```
+- **If the device is non-rooted (Debuggable app):**
+  ```bash
+  adb shell run-as com.example.app cat /data/data/com.example.app/databases/app.db > /workspace/app.db
+  ```
+
+## 🚀 Pushing Scripts and Binaries
+When deploying tools like `frida-server` or standalone native executables:
+1. Push the binary to a temporary, executable directory on the Android device (usually `/data/local/tmp/`):
+   ```bash
+   adb push frida-server /data/local/tmp/
+   ```
+2. Make it executable:
+   ```bash
+   adb shell chmod +x /data/local/tmp/frida-server
+   ```
+3. Run it in the background:
+   ```bash
+   adb shell "/data/local/tmp/frida-server &"
+   ```
+
+Always verify commands with `execute_command` and parse the output before proceeding to the next steps. Do not guess paths; query the device interactively.

package/builtin-profiles/android-reverse/skills/android-reversing/SKILL.md

@@ -0,0 +1,60 @@
+---
+name: android-reversing
+description: Master skill for Android Reverse Engineering. Use this when starting any Android analysis task to understand the overall workflow (ADB, JADX, IDA).
+---
+
+# Android Reverse Engineering Master Workflow
+
+You are operating as an Expert Android Reverse Engineer. Your environment has access to powerful tools like `adb`, `jadx-mcp`, and `ida-pro-mcp`. 
+
+**CRITICAL:** You do NOT have direct access to JADX or IDA tools via standard CLI or pre-loaded MCP schemas. Instead, you MUST use the proxy MCP tools built into your environment: `manage_mcp_session`, `explore_mcp_session`, and `call_mcp_session_tool`.
+
+## 🔄 The Standard Reverse Engineering Pipeline
+
+Whenever the user asks to analyze an Android application, follow these phases systematically:
+
+### Phase 1: Acquisition (ADB)
+If the user provides an installed package name but not the APK file, you must extract it from the connected device using ADB.
+- Load the `adb-workflow` skill for detailed instructions on listing packages, finding paths, and pulling the APK.
+- If the APK is already provided, skip to Phase 2.
+
+### Phase 2: Static Java Analysis (JADX)
+Once you have the `.apk` or `.dex` file, you must start a JADX MCP session to perform static analysis.
+1. Start the JADX session using `manage_mcp_session`:
+   ```json
+   {
+     "action": "start",
+     "sessionId": "jadx_main",
+     "command": "npx",
+     "args": ["-y", "jadx-mcp@latest", "--file", "/absolute/path/to/app.apk"]
+   }
+   ```
+2. Wait for it to become ready, then use `explore_mcp_session` to discover tools (e.g., `get_manifest`, `search_code`, `get_class_source`).
+3. **Always start by analyzing the Manifest** to find the package name, Main Activity, and declared permissions.
+4. Load the `jadx-workflow` skill if you need deeper guidance on traversing Java/Dalvik code.
+
+### Phase 3: Native Binary Analysis (IDA Pro)
+If during your Java analysis you discover `System.loadLibrary("foo")` or `native` methods, you must transition to native analysis.
+1. Extract the `.so` files from the APK using `unzip` (e.g., `unzip app.apk lib/* -d /workspace/extracted/`).
+2. Identify the correct architecture (usually `arm64-v8a`).
+3. Start the IDA Pro MCP session using `manage_mcp_session`:
+   ```json
+   {
+     "action": "start",
+     "sessionId": "ida_foo",
+     "command": "idalib-mcp",
+     "args": ["--port", "8745", "--unsafe", "/absolute/path/to/libfoo.so"],      "transportType": "http",
+      "port": 8745
+    }
+   ```
+4. **Notice on `--unsafe`**: Use the `--unsafe` flag when starting `idalib-mcp`. This safely enables advanced capabilities (like `dbg_get_registers` or arbitrary IDAPython execution) because this environment is securely sandboxed in Docker.
+5. Load the `ida-workflow` skill for detailed instructions on decompiling, identifying JNI structures, and renaming variables.
+
+### Phase 4: Cleanup
+Once the analysis is completely finished and you have answered the user's questions, you MUST clean up your environment.
+- Call `stop_mcp_session` for every session ID you created.
+
+## ⚠️ Important Rules for Proxy Tools
+- **Never guess parameters:** Before calling a tool on an MCP session (like JADX), use `explore_mcp_session` with the `toolName` parameter to read the exact JSON schema required.
+- **Do not restart active sessions:** Use `list_mcp_sessions` to check if a session for your target file is already running. If it is, reuse it!
+- **Pass correct arguments:** When using `call_mcp_session_tool`, ensure your `params` string is a valid JSON object string matching the schema you discovered.

package/builtin-profiles/android-reverse/skills/ida-workflow/SKILL.md

@@ -0,0 +1,55 @@
+---
+name: ida-workflow
+description: Native Native/SO Binary Analysis (IDA Pro). Use this when you have extracted a `.so` (Shared Object) or C/C++ executable and need to perform native decompilation and analysis via the IDA MCP proxy.
+---
+
+# IDA Pro MCP Proxy Workflow
+
+You are an expert Native Reverse Engineer, capable of reading C/C++ pseudo-code, ARM assembly, and analyzing JNI (Java Native Interface) structures. You use the `ida-pro-mcp` backend through the `staff-mcp` proxy tools.
+
+## 🛠 Initialization
+When you receive a `.so` file (e.g., `libnative-lib.so`) or an ELF binary to analyze:
+1. **Verify Session:** Check if an IDA session is already running using `manage_mcp_session` with `action: "list"`.
+2. **Start Session:** If not, use `manage_mcp_session` with `action: "start"`.
+   - **Command:** `idalib-mcp`
+   - **Args:** `["--port", "8745", "--unsafe", "/absolute/path/to/libnative-lib.so"]`
+   - **Notice on `--unsafe`**: Use the `--unsafe` flag when starting `idalib-mcp`. This safely enables advanced capabilities (like `dbg_get_registers` or arbitrary IDAPython execution) because this environment is securely sandboxed in Docker.
+   - **Transport Configuration:** You MUST set `"transportType": "http"` and `"port": 8745`.
+   - **Session ID:** Choose a meaningful name, e.g., `ida_native_lib` or `ida_crypto`.
+
+## 🧭 Discovery and Schema Fetching
+You MUST NEVER guess the parameters for IDA's tools. The IDA MCP server provides powerful but complex tools for binary analysis.
+1. Call `explore_mcp_session(sessionId="ida_native_lib")` to see available tools (e.g., `decompile`, `rename`, `set_type`, `search_bytes`).
+2. Before calling a tool like `decompile`, retrieve its exact JSON schema: `explore_mcp_session(sessionId="ida_native_lib", toolName="decompile")`.
+3. Once you have the schema, invoke the tool with `call_mcp_session_tool`.
+
+## 🗺 Standard Native Analysis Path
+
+Follow this path to comprehensively understand a Native Library (`.so`):
+
+### Step 1: Identify JNI Interface (Exports / Symbols)
+Native Android libraries usually expose functions to Java via JNI. You need to find them.
+- Look for tools like `list_exports`, `list_functions`, or `search_names`.
+- Focus on exported functions starting with `Java_` (Static JNI linking) or the `JNI_OnLoad` function (Dynamic JNI linking).
+
+### Step 2: Decompile JNI Entry Points (`decompile`)
+Once you find a target function (e.g., `Java_com_example_app_MainActivity_stringFromJNI`):
+- Call the decompile tool, passing the function name or address.
+- Carefully read the returned C pseudo-code.
+- Remember that the first two arguments of a static JNI function are always `JNIEnv* env` and `jobject thiz` (or `jclass clazz`).
+
+### Step 3: Analyze Dynamic JNI Registration (`JNI_OnLoad`)
+If `JNI_OnLoad` is present, the app dynamically registers its native methods:
+- Decompile `JNI_OnLoad`.
+- Look for calls to `RegisterNatives`.
+- Identify the `JNINativeMethod` array to find the mappings between Java method names and native C function pointers.
+
+### Step 4: Iterative Refactoring (`rename`, `set_type`)
+Raw decompiled C code is often hard to read (e.g., `v1`, `a3`, `sub_12345`). You must improve it iteratively:
+- Use tools like `rename` to change variable and function names to meaningful ones (e.g., `a1` -> `env`, `sub_12345` -> `decrypt_payload`).
+- Use tools like `set_type` to define struct types (e.g., `JNIEnv*`) so IDA can automatically resolve offsets to function names (like `env->NewStringUTF`).
+- Re-run `decompile` after refactoring to get cleaner code.
+
+## ⚠️ Notes
+- Always work with the appropriate architecture for the target device (usually `arm64-v8a`). Do not analyze `x86` or `armeabi-v7a` libraries unless necessary.
+- IDA Pro analysis is stateful. Your renaming operations persist in the IDA database (`.idb`/`.i64`). Make sure you only rename variables when you are highly confident.

package/builtin-profiles/android-reverse/skills/jadx-workflow/SKILL.md

@@ -0,0 +1,53 @@
+---
+name: jadx-workflow
+description: Android Static Java Analysis (JADX). Use this when you have an APK or DEX file and need to analyze its Java/Dalvik source code using the JADX MCP proxy.
+---
+
+# JADX MCP Proxy Workflow
+
+You are an expert Dalvik bytecode and Android Java static analyst. You use the `jadx-mcp` backend through the `staff-mcp` proxy tools to explore Android applications without relying on GUI decompilers.
+
+## 🛠 Initialization
+To start analyzing an Android application (`.apk` or `.dex`):
+1. **Verify Session:** Check if a JADX session is already running using `manage_mcp_session` with `action: "list"`.
+2. **Start Session:** If not, you MUST use `manage_mcp_session` with `action: "start"`.
+   - **Command:** `npx`
+   - **Args:** `["-y", "jadx-mcp@latest", "--file", "/workspace/target.apk"]`
+   - **Session ID:** Choose a distinct, readable name, e.g., `jadx_whatsapp` or `jadx_malware`.
+
+## 🧭 Discovery and Schema Fetching
+You MUST NEVER assume the exact JSON parameters for a JADX tool. JADX's tools change across versions. 
+1. Use `explore_mcp_session(sessionId="jadx_malware")` to see available tools.
+2. When you want to use a tool, call `explore_mcp_session(sessionId="jadx_malware", toolName="search_code")` to get its precise JSON schema.
+3. Once you have the schema, invoke the tool with `call_mcp_session_tool`.
+
+## 🗺 Standard Java Analysis Path
+
+Follow this path to comprehensively understand an unknown APK:
+
+### Step 1: The Manifest (`get_manifest`)
+You must always start by retrieving the `AndroidManifest.xml` summary or full text.
+- Find the **Package Name** (e.g., `com.example.app`).
+- Find the **Application Class** (e.g., `android:name=".MyApplication"`).
+- Identify the **Main/Launcher Activity** (the entry point).
+- Note down critical **Permissions** (e.g., `READ_SMS`, `INTERNET`).
+
+### Step 2: High-Level Exploration (`list_packages` / `list_classes`)
+If you need to understand the project structure (e.g., separating third-party SDKs from the main business logic):
+- Explore the root packages. Ignore standard libraries (`android.*`, `androidx.*`, `kotlin.*`, `com.google.*`) unless explicitly instructed.
+- Focus on the package matching the app's `package_name` from Step 1.
+
+### Step 3: Targeted Search (`search_code`)
+If you have a specific goal (e.g., finding where an encryption key is generated, or a specific API endpoint):
+- Search for constants: `"http://"`, `"https://"`, `"AES/CBC/PKCS5Padding"`, `"password"`.
+- You can often use regex (if the schema allows) to find method signatures like `private native .*`.
+
+### Step 4: Deep Decompilation (`get_class_source` or similar)
+Once you locate an interesting class via `search_code` or `list_classes`, decompile it:
+- Call the appropriate tool to retrieve the decompiled Java source of the class.
+- Read the code carefully.
+- If it loads a native library (`System.loadLibrary("crypto")`), extract the `.so` file and transition to the `ida-workflow` skill.
+
+## ⚠️ Notes
+- If an operation fails or times out, check if the APK is extremely large. The JADX backend might still be loading classes.
+- JADX does not execute the code. It is a static analysis tool. For dynamic tracing, consider `frida`.

package/builtin-profiles/common/skill-manager/SKILL.md

@@ -0,0 +1,54 @@
+---
+name: skill-manager
+description: Manage staff-mcp skills and profiles (install, uninstall, search). Use this when the user wants to add, remove, or find skills or configure a profile.
+---
+
+# Skill & Profile Manager
+
+This core skill enables the assistant to manage skills and configure profiles for the `staff-mcp` ecosystem.
+
+## Knowledge
+Skills are stored as directories containing a `SKILL.md` file. They can be installed at different levels with the following priority (highest to lowest):
+1. **Project Level**: `<cwd>/.staff/skills/<skill-name>/SKILL.md` (Primary target for assistant operations)
+2. **Project Profile Level**: `<cwd>/.staff/profiles/<profile-name>/skills/<skill-name>/SKILL.md`
+3. **Global Profile Level**: `~/.staff/profiles/<profile-name>/skills/<skill-name>/SKILL.md`
+4. **Global Level**: `~/.staff/skills/<skill-name>/SKILL.md`
+5. **Built-in Infrastructures**: `staff-mcp/builtin-profiles/...`
+
+**Profiles** are specific context configurations (e.g. `default`, `android-reverse`). They act as complete environments that can contain not only skills but also future configurations like `agent.md` (for MCP instructions overrides). 
+
+### ⚠️ Security Boundaries & Default Scope
+- **Default to Workspace ONLY**: Unless the user explicitly says otherwise, you MUST assume all requests (install, uninstall, clear) apply ONLY to the standard project workspace (`<cwd>/.staff/skills/`).
+- **Profiles are User-Managed**: DO NOT attempt to write, modify, or delete skills inside `<cwd>/.staff/profiles/` or `~/.staff/profiles/` unless explicitly instructed to modify a profile. Profiles are generally managed by the user.
+- **DO NOT Locate Global/Built-in Skills**: Do not use tools (`list_dir`, `execute_command`, etc.) to search for or verify global or built-in skills when deleting or modifying. Ignore their existence to avoid wasting time and access denied errors.
+- **Global & Built-in are Read-Only**: You are strictly prohibited from modifying user-level (`~/.staff/`) or built-in (`staff-mcp/builtin-profiles/`) directories.
+- **Provide Instructions for Global**: If the user EXPLICITLY asks to modify a global skill or profile, DO NOT try to locate or execute it. Simply provide the exact shell commands in a markdown code block and politely instruct the user to run them manually.
+
+## Workflows
+
+### 🔍 Search/Discover Skills
+To find skills to install:
+1. **Analyze the source**: A skill can come from anywhere: a local directory path, a GitHub URL, an npm package, a zip file, or another public repository.
+2. **If the user provides an exact path or URL**: Use that directly to fetch the skill.
+3. **If the user does not provide enough information**: Do NOT assume it is from Anthropic or GitHub. Ask the user politely for the exact URL, Git repository, or local folder path where the skill is located.
+4. **Example searches (Optional)**: If the user explicitly asks for "Anthropic official skills", you can use `curl -s "https://api.github.com/orgs/anthropics/repos?per_page=100" | grep '"name"'` as an example, but NEVER restrict yourself to this organization unless requested.
+
+### ⬇️ Install a Skill
+When the user asks to install a skill:
+1. **Determine the source**: Ensure you know exactly where to get the skill from. If unsure, ask the user.
+2. **Assume Project environment** (`<cwd>/.staff/skills/`) by default.
+3. **If Project-level**: 
+   - Use `execute_command` to fetch the skill (e.g., `git clone <url> <cwd>/.staff/skills/<skill-name>` or `cp -r <local-path> <cwd>/.staff/skills/<skill-name>`).
+   - Ensure the directory contains a `SKILL.md` file.
+4. **If Global-level or Profile-level**: DO NOT execute anything. Output the corresponding commands (e.g., `mkdir -p ~/.staff/skills && cd ~/.staff/skills && git clone <url> <name>`) and ask the user to execute them manually.
+
+### 🗑️ Uninstall / Clear Skills
+When the user asks to remove, uninstall, or clear skills:
+1. **Assume Workspace Only**: ONLY look in and modify the standard project directory (`<cwd>/.staff/skills/`). Do NOT touch `.staff/profiles/` unless specifically told to do so.
+2. Use `execute_command` (e.g., `rm -rf .staff/skills/*`) to delete them directly.
+3. **Do NOT** try to find, list, or touch `~/.staff` or built-in skills. Ignore them entirely.
+4. If the user EXPLICITLY asks to remove a **global** or **profile** skill, DO NOT look for it. Just output the command and tell the user to run it themselves.
+
+### 📝 Create a Custom Skill
+1. Assume **Project-level** by default. Use `write_file` to create `<cwd>/.staff/skills/<skill-name>/SKILL.md`.
+2. If the user explicitly asks for a **Global-level** skill, provide the file content in a code block and instruct the user to save it to `~/.staff/skills/<skill-name>/SKILL.md` manually.