Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"apktool-mcp-server": {
"args": [
"--directory",
"</PATH/TO/>apktool-mcp-server/",
"run",
"apktool_mcp_server.py"
],
"command": "/<path>/<to>/uv"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
⚡ Fully automated MCP server built on top of apktool to analyze Android APKs using LLMs like Claude — uncover vulnerabilities, parse manifests, and reverse engineer effortlessly.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'httpx' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
PYSEC-2022-183
Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in security / developer-tools
A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.
XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.
Context7 Platform -- Up-to-date code documentation for LLMs and AI code editors
Copy/paste detector for programming source code, supports 223 formats. AI-ready with token-efficient reporter, skill and MCP server.
MCP Security Weekly
Get CVE alerts and security updates for Apktool Mcp Server and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
⚡ Fully automated MCP server built on top of apktool to analyze Android APKs using LLMs like Claude — uncover vulnerabilities, parse manifests, and reverse engineer effortlessly.
Image generated using AI tools.
apktool-mcp-server is a MCP server for the Apk Tool that integrates directly with Model Context Protocol (MCP) to provide live reverse engineering support with LLMs like Claude.
Think: "Decompile → Context-Aware Code Review → AI Recommendations" — all in real time.
Watch the demo!
https://github.com/user-attachments/assets/d50251b8-6b1c-4341-b18e-ae54eb24a847
https://github.com/user-attachments/assets/c783a604-a636-4e70-9fa8-37e3d219b20b
The following MCP tools are available:
build_apk() — Build an APK from a decoded APKTool Project.get_manifest() — Get the AndroidManifest.xml content from a decoded APK project.get_apktool_yml() — Get apktool.yml information from a decoded APK project.list_smali_directories() — List all smali directories in a project.list_smali_files() — List smali files in a specific smali directory, optinally filtered by package prefix.get_smali_file() — Get content of a specific smali file by class name.modify_smali_file() — Modify the content of a specific smali file.list_resources() — List resources in a project, optionally filtered by resource type.get_resource_file() — Get Content of a specific resource file.modify_resource_file() — Modify the content of a specific resource file.search_in_file() — Search for a pattern in files with specified extensions.clean_project() — Clean a project directory to prepare for rebuilding.decode_apk() — Decode an APK file using APKTool, extracting resources and smali code.“List all smali directories for the dvac project.”
“Show me all the smali files under the package prefix com.vulnerable.component in the dvac project.”
“Get the smali code for the class com.vulnerable.component.MainActivity.”
“Compare MainActivity.smali with its previous version and show differences.”
“Search for usage of startActivity in smali files of dvac project.”
“Analyze declared permissions in the dvac AndroidManifest.xml and flag dangerous ones.”
“Search for hardcoded URLs or IPs in all .xml and .smali files in the project.”
“Find all uses of PendingIntent.getActivity in smali files.”
“Check for exported activities or receivers in dvac’s