MobSF

Provides a Node.js MCP interface to expose MobSF security analysis for automated workflows and third‑party tools.
  • javascript

22

GitHub Stars

javascript

Language

6 months ago

First Indexed

2 months ago

Catalog Refreshed

Documentation & install

Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.

Installation

Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "il-il1-mobsf-mcp": {
      "command": "npx",
      "args": [
        "mobsf-mcp"
      ],
      "env": {
        "MOBSF_URL": "http://localhost:8000",
        "MOBSF_API_KEY": "your_api_key_here"
      }
    }
  }
}

MobSF-MCP is a Node.js based implementation of the Model Context Protocol for MobSF. It provides a standardized way to integrate MobSF security analysis into automated workflows and tools, enabling programmatic access to scans, reports, and other MobSF capabilities through a lightweight MCP server.

How to use

To use MobSF-MCP with an MCP client, start by ensuring MobSF is running with API access. The MCP server exposes a set of endpoints for uploading apps, retrieving reports, and performing analyses. In typical workflows you will configure a client to point at the local MCP server, then perform actions such as uploading an APK/IPA, fetching a full JSON report, or generating a PDF report. Use the client to orchestrate scans, view logs, and retrieve results for automated processing and integration into CI/CD pipelines.

How to install

Prerequisites: Node.js v14 or higher, npm, and a running MobSF instance with API access.

Install the MobSF-MCP server globally:

npm install -g mobsf-mcp

Configure environment variables and start the MobSF MCP server using the npx command. Open a PowerShell session with administrator privileges and set the MobSF connection details, then start the MCP server:

$env:MOBSF_URL="http://localhost:8000"; 
$env:MOBSF_API_KEY="your_api_key_here"; 
npx mobsf-mcp

Additional sections

Configuration for integration with the VSCode cline extension is provided in the README. To use MobSF-MCP with the cline extension, add the following MCP server configuration to your cline settings. This config uses stdio transport and the Windows path for Node.js as shown in the example.

{
  "mcpServers": {
    "MobSF MCP Server": {
      "disabled": false,
      "timeout": 60,
      "command": "Nodejs\\node.exe",
      "args": [
        "index.js"
      ],
      "env": {
        "MOBSF_URL": "http://localhost:8000",
        "MOBSF_API_KEY": "your_api_key_here"
      },
      "transportType": "stdio"
    }
  }
}

Notes and security

This MCP server is intended for legitimate security testing and automated workflows with explicit authorization. Do not use it to access systems or data without permission. Always protect your MobSF API key and restrict access to the MCP server.

Available tools

uploadFile

Uploads an app file (APK, IPA, APPX) for security analysis.

getScanLogs

Retrieves detailed scan logs for a given scan hash.

getJsonReport

Fetches the full JSON security analysis report for a scan.

getJsonReportSection

Gets a specific section of the JSON report by section name.

getRecentScans

Lists recent security scans with pagination.

searchScanResult

Searches scans by hash, name, or package.

deleteScan

Deletes scan results by hash.

getScorecard

Retrieves the application security scorecard.

generatePdfReport

Generates a PDF version of the security report.

viewSource

Views source files from the analysis.

getScanTasks

Returns the scan tasks queue for async processing.

compareApps

Compares two scans by their hashes.

suppressByRule

Suppresses findings by rule ID.

suppressByFiles

Suppresses findings by files.

listSuppressions

Lists suppressions for a scan.

deleteSuppression

Deletes a suppression by type and rule/file.

listAllHashes

Lists all report MD5 hashes.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational