android-mcp-adb

v2.0.0 suspicious
6.0
Medium Risk

Full Android control from any AI agent via MCP — 7 tools, 90fps viewer, WiFi ADB

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits several red flags including potential obfuscation techniques and high shell risk, suggesting possible malicious intent. However, there is no concrete evidence of harmful behavior.

  • Base64 decoding used multiple times, indicating possible obfuscation attempts.
  • High shell risk due to subprocess execution that could be exploited.
Per-check LLM notes
  • Network: The use of aiohttp.ClientSession suggests network interaction, which could be legitimate for ADB commands but should be reviewed for unexpected external communications.
  • Shell: Subprocess execution is detected and could be used to run ADB commands. This needs further investigation to ensure it's not being exploited for unauthorized actions.
  • Obfuscation: Base64 decoding is used multiple times, which could indicate an attempt to hide code logic or data.
  • Credentials: No direct evidence of credential harvesting is observed.
  • Metadata: The package is suspicious due to its recent creation, low maintainer activity, and rapid commit history.

📦 Package Quality Overall: Medium (5.0/10)

✦ High Test Suite 9.0

Test suite present — 2 test file(s) found

  • Test runner config found: pyproject.toml
  • 2 test file(s) detected (e.g. test_integration.py)
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (10246 chars)
○ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 124 type-annotated function signatures detected in source
○ Low Multiple Contributors 2.0

Single-author or unverifiable project

  • 1 unique contributor(s) across 7 commits in Steph-ux/android-mcp
  • Single author with few commits — possibly a personal or throwaway project

🔬 Heuristic Checks

Outbound Network Calls score 1.5

Found 1 network call pattern(s)

  • : self._session = aiohttp.ClientSession() return self._session async def _cmd(self, act
Code Obfuscation score 10.0

Found 6 obfuscation pattern(s)

  • en base64.""" data = base64.b64decode(data_b64) import tempfile, os with tempfile.
  • allé") needle_bytes = base64.b64decode(template_b64) haystack_bytes = await self.screenshot
  • hot échouée")) return base64.b64decode(r["data"]) async def screenshot_region(self, x: int, y:
  • ion échouée")) return base64.b64decode(r["data"]) async def get_live_frame(self) -> dict:
  • .Path(local_path).write_bytes(base64.b64decode(r["data"])) return {"success": r.get("success", Fals
  • import base64 raw = base64.b64decode(result[0].data) assert raw[:4] == b"\x89PNG" @p
Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • st(args) try: r = subprocess.run( cmd, capture_output=True, text=True, timeout=ti
  • err).""" try: r = subprocess.run( ["adb", *args], capture_output=True
  • device_id] proc = subprocess.Popen(cmd) return _ok(pid=proc.pid, fps=fps, bitrate=b
  • crcpy via winget...") r = subprocess.run( ["winget", "install", _WINGET_SCRCPY_ID, "
  • label}") procs.append(subprocess.Popen(cmd)) print(f"\n {len(procs)} viewer(s) ouverts. Ferme
  • if args.check: r = subprocess.run([scrcpy_path, "--version"], capture_output=True, text=True)
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History score 5.0

Git history flags: Repository has zero stars and zero forks

  • Repository has zero stars and zero forks
  • All 7 commits happened within 24 hours
Maintainer History score 6.0

3 maintainer concern(s) found

  • Only one version has ever been released — brand new package
  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with android-mcp-adb 
Create a remote Android device management tool called 'RemoteControlMate' using the Python package 'android-mcp-adb'. This tool should allow users to remotely control their Android devices over Wi-Fi, view the screen at 90 frames per second, and execute various commands on the device. Here’s a detailed breakdown of the project requirements:

1. **Setup**: Install 'android-mcp-adb' and ensure your Android device is connected via Wi-Fi ADB.
2. **Screen Viewer**: Implement a real-time screen viewer that updates at 90fps. Use the package's capabilities to stream the device's screen to your computer.
3. **Command Executor**: Enable users to send touch events, swipe gestures, and key presses to the Android device. Integrate these functionalities through 'android-mcp-adb'.
4. **Device Information**: Retrieve and display basic information about the connected device such as model, OS version, and battery status.
5. **File Transfer**: Allow for simple file transfer between the Android device and the computer. Utilize the package to manage files on the device.
6. **User Interface**: Develop a user-friendly interface using a library like Tkinter or PyQt, where users can interact with the device's controls and see the live screen feed.
7. **Security Measures**: Ensure that all connections are secure and that the user has the necessary permissions to control the device.
8. **Documentation**: Provide clear documentation on how to set up and use the tool, including installation instructions for 'android-mcp-adb' and any dependencies.

This project aims to demonstrate the versatility and power of 'android-mcp-adb' while providing a practical solution for managing Android devices remotely.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!