frida-stalker-android
- Repo stars 6
- Author updated Live
- Author repo frida-stalker-skills
- Domain
- Other
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @yfe404 · no license declared
- Token usage
- Lean
- Setup complexity
- Guided setup
- External API key
- Not required
- Operating systems
- Windows
- Runtime requirements
- No special requirements
- Permissions
-
- Read-only
- Write / modify
- Shell exec
- Network behavior
- Local-only
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: frida-stalker-android
description: Trace native execution on Android with Frida Stalker (Frida 17+): call summaries, event parsing…
category: other
runtime: no special runtime
---
# frida-stalker-android output preview
## PART A: Task fit
- Use case: Trace native execution on Android with Frida Stalker (Frida 17+): call summaries, event parsing, transforms, and performance-safe start/stop patterns. Use this skill when you need to trace native code execution on Android using Frida's Stalker API, with templates geared for ARM/ARM64 and performance-safe defaults. runs entirely locally. Works with Claude ….
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “Overview / When To Use This Skill / Quick Decision Guide” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Trace native execution on Android with Frida Stalker (Frida 17+): call summaries, event parsing, transforms, and performance-safe start/stop patterns. Use this skill when you need to trace native code execution on Android using Frida's Stalker API, with templates geared for ARM/ARM64 and performance-safe defaults. runs entirely locally. Works with Claude …”.
- **02** When the source has headings, the agent prioritizes “Overview / When To Use This Skill / Quick Decision Guide” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files, run shell commands; mostly runs locally; usually needs no extra API key.
## Running Rules
- read files, write/modify files, run shell commands; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source mentions slash commands such as `/data`; use them first when your agent supports command triggers.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files, run shell commands.
Start with a small task and check whether the result follows “Overview / When To Use This Skill / Quick Decision Guide”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: frida-stalker-android
description: Trace native execution on Android with Frida Stalker (Frida 17+): call summaries, event parsing…
category: other
source: yfe404/frida-stalker-skills
---
# frida-stalker-android
## When to use
- Trace native execution on Android with Frida Stalker (Frida 17+): call summaries, event parsing, transforms, and perfo…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “Overview / When To Use This Skill / Quick Decision Guide” and keep inference separate from source facts.
- read files, write/modify files, run shell commands; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "frida-stalker-android" {
input -> user goal + target files + boundaries + acceptance criteria
context -> Overview / When To Use This Skill / Quick Decision Guide
rules -> SKILL.md triggers / order / output contract
runtime -> no special runtime | read files, write/modify files, run shell commands | mostly runs locally
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} Frida Stalker (Android)
Overview
Use this skill when you need to trace native code execution on Android using Frida's Stalker API, with templates geared for ARM/ARM64 and performance-safe defaults.
This skill assumes Frida 17+ JavaScript semantics.
When To Use This Skill
- User explicitly asks for "Frida Stalker" on Android.
- You need to measure native call activity (who got called, how often) with low overhead.
- You need ordered call events (call graph reconstruction) or coarse coverage.
- You need to inject logic on basic-block compilation through
transform(iterator).
Quick Decision Guide
- Want call counts per target and don't care about ordering: use
onCallSummary. - Want ordered call/ret/block/compile events: use
onReceiveand decode withStalker.parse(). - Want instruction-level matching and callouts: use
transform(iterator)(heavy; do it narrowly). - Want to watch a small set of call targets: consider
Stalker.addCallProbe().
Core API Facts (Frida 17+)
Stalker.follow([threadId, options])- Provide exactly one callback:
onReceive(events)oronCallSummary(summary). Stalker.unfollow([threadId])Stalker.parse(events, { annotate, stringify })Stalker.flush()drains buffered events early (otherwise periodic draining is controlled byStalker.queueDrainInterval).Stalker.garbageCollect()should be called afterunfollow()to free accumulated memory at a safe point.Stalker.exclude({ base, size })excludes a memory range from stalking (useful to skip noisy/system modules).- Tuning:
Stalker.trustThresholddefault1(set-1for no trust,0to trust immediately, orNto trust afterNexecutions).Stalker.queueCapacitydefault16384events.Stalker.queueDrainIntervaldefault250ms (set0to disable periodic draining and callStalker.flush()manually).
Workflow
- Define objective.
- Choose thread(s).
- Choose capture mode and filters.
- Pick a template and adapt it.
- Run, tune performance, and clean up.
If you are using the Frida MCP tools, also enable $frida-mcp-workflow and follow its phases (Idea -> Scripting -> Execution -> Notes).
Templates
Start from these and keep scripts file-based.
templates/stalker-call-summary.js: low-overhead call counting viaonCallSummary.templates/stalker-onreceive-parse.js: receive binary events and decode withStalker.parse().templates/stalker-start-stop-around-hook.js: follow/unfollow only during a specific hooked function call.templates/stalker-call-probe.js: observe calls to a single target viaStalker.addCallProbe().templates/stalker-transform-skeleton.js: minimaltransform(iterator)skeleton with ARM/ARM64 safety check.templates/stalker-filter-modules.js: helper to select "app modules" on Android and exclude the rest.
Quick Start
- If you do not know the thread id yet, start with
templates/stalker-start-stop-around-hook.js. - If you already know the thread id and want low overhead, use
templates/stalker-call-summary.js. - If you need ordered events, use
templates/stalker-onreceive-parse.jsand keep event types narrow. - If you only care about calls to one target, start with
templates/stalker-call-probe.js.
MCP Usage Notes (If Available)
When driving this through the Frida MCP tools, prefer this flow:
- Create or attach a session (
mcp__frida__create_interactive_session/mcp__frida__attach_to_process). - Load the selected template with
mcp__frida__load_script. - Start tracing through RPC exports using
mcp__frida__call_rpc_export(templates exposestart()/stop()when appropriate). - Use
mcp__frida__get_session_messagesto consume output.
Keep a script ledger (what is loaded, purpose, and teardown path). This is enforced by $frida-mcp-workflow.
Android-Specific Notes (Practical)
Thread choice matters more than you think.
If you start stalking the wrong thread, you will see nothing, or only system noise.
A safe pattern is to start stalking from inside an
Interceptor.attach()callback, usingProcess.getCurrentThreadId()to capture the thread that is actually executing your target function.Module filtering is essential.
On Android, app code is usually in modules whose
pathcontains/data/app/,/data/data/, or an extracted APK split path.Exclude common noise sources (
libart.so,libc.so,liblog.so, etc.) usingStalker.exclude()when you only care about your app's own native libs.32-bit ARM note.
If you use raw addresses on 32-bit ARM, Thumb functions require the low bit set. Prefer addresses returned by Frida APIs like
Process.getModuleByName(...).getExportByName(...).Avoid
Process.runOnThread()unless you know what you're doing.It can interrupt a thread in non-reentrant code and cause deadlocks/crashes.
Performance Rules Of Thumb
- Avoid
events.execunless you truly need instruction-level traces. It produces huge volumes of data. - Prefer
onCallSummaryoveronReceivewhen you can. - Keep your callbacks lean; push heavy work to the host side when possible.
- Use
Stalker.exclude()aggressively to reduce time spent in system libraries. - Prefer manual draining (
Stalker.queueDrainInterval = 0+Stalker.flush()) when you need deterministic windows. - Call
Stalker.garbageCollect()after unfollowing, especially if you repeatedly start/stop.
Cleanup Checklist
Stalker.unfollow(threadId)Stalker.flush()Stalker.garbageCollect()
Troubleshooting
No output at all.
You are likely stalking the wrong thread, or your callback isn't being invoked (e.g., you followed a thread that never runs).
Output is only system noise.
Add module filters and exclusions. Start stalking from inside a hook where you know you're in app code.
Target slows to a crawl or dies.
Reduce enabled events, stop using
exec, and switch toonCallSummary. Exclude large/noisy modules.
For deeper notes, see:
references/stalker-api.mdreferences/android-filtering.md
Decide Fit First
Design Intent
How To Use It
Boundaries And Review