{"id":"dwisiswant0-apkleaks","name":"apkleaks","homepage":null,"repo_url":"https://github.com/dwisiswant0/apkleaks","category":"security","subcategories":[],"tags":["android-security","apk","static-analysis","secrets","cli","regex-scanning","reverse-engineering"],"what_it_does":"APKLeaks is a CLI tool that statically scans Android APK files to find potentially sensitive information such as URIs/endpoints and secrets, using the jadx disassembler (and other tooling) plus configurable regex-based patterns.","use_cases":["Bug bounty / mobile app security assessments by scanning APKs for exposed endpoints","Static analysis of Android apps for hardcoded secrets and sensitive URLs","Automated triage of potentially risky strings in APK resources and decompiled code"],"not_for":["Verifying the presence of exploitable vulnerabilities (static regex matching may produce false positives)","Runtime detection of data exfiltration or behavior (no dynamic analysis mentioned)","Secure handling of secrets as a managed service (this is a local scanner)"],"best_when":"You want a local, repeatable static scan of APKs for common secret/endpoint patterns and can review results for false positives.","avoid_when":"You need high-confidence results with minimal false positives, or you require dynamic/behavioral assurance rather than static pattern matching.","alternatives":["MobSF (static + dynamic analysis framework for Android)","Grep/regex-based secret scanners over decompiled sources","trufflehog-style regex scanners (for generic text/secrets) applied to extracted artifacts","Semgrep/CodeQL-style rules on decompiled code (if you need rule-based findings)"],"af_score":46.0,"security_score":39.8,"reliability_score":23.8,"package_type":"skill","discovery_source":["openclaw"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-29T14:57:24.313465+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":false,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":[],"oauth":false,"scopes":false,"notes":"No network service authentication is described; it appears to be a local CLI workflow."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Installable open-source tool (no SaaS pricing described in provided content)."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":46.0,"security_score":39.8,"reliability_score":23.8,"mcp_server_quality":0.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":100.0,"rate_limit_clarity":0.0,"tls_enforcement":0.0,"auth_strength":100.0,"scope_granularity":0.0,"dependency_hygiene":45.0,"secret_handling":40.0,"security_notes":"Strength: no hosted service/auth implies fewer credential-handling risks. Concerns: it is designed to process potentially sensitive artifacts and produce outputs containing secrets/endpoints; the provided README does not document safe handling of results (e.g., redaction, secure storage, avoiding logging of sensitive matches) or runtime mitigations. Also depends on external tooling (jadx and others) whose integrity/verification is not described in the provided content.","uptime_documented":0.0,"version_stability":35.0,"breaking_changes_history":30.0,"error_recovery":30.0,"idempotency_support":"true","idempotency_notes":"Given it is a CLI that scans an input file and writes deterministic output based on patterns/args, rerunning with the same input and configuration should be effectively idempotent (though output filenames may be random if -o is not provided).","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Relies on external disassembler (jadx) presence; behavior may differ if jadx needs to be downloaded","User-controlled disassembler arguments (-a/--args) could change output and potentially affect stability","If -o is omitted, output filename may be random, complicating automated pipelines"]}}