explaingit

moonpiesheldon1337/mobsf-fail-app

Analysis updated 2026-06-24

30TypeScriptAudience · developerComplexity · 3/5Setup · moderate

TLDR

Browser app that takes a MobSF mobile-app scan report and uses a local in-browser LLM to flag which findings are likely false positives, then exports a clean Markdown or CSV.

Mindmap

mindmap
  root((mobsf-fail))
    Inputs
      MobSF JSON report
      MobSF PDF or HTML
    Outputs
      Markdown report
      Triage CSV
      Per-finding verdicts
    Use Cases
      Pentest report triage
      AppSec noise reduction
      DevSecOps CI review
    Tech Stack
      TypeScript
      Vite
      WebLLM
      WebGPU
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Turn a 300-finding MobSF report into a short client-ready Markdown writeup

USE CASE 2

Strip obvious false positives before importing into a vulnerability tracker

USE CASE 3

Demo a privacy-preserving pentest workflow that never uploads the APK report

USE CASE 4

Fork the repo and add a category-specific prompt for tracker or binary findings

What is it built with?

TypeScriptViteWebLLMWebGPUpdfjs-dist

How does it compare?

moonpiesheldon1337/mobsf-fail-appstoaaadev/stoaclipboardhealth/groundcrew
Stars303031
LanguageTypeScriptTypeScriptTypeScript
Setup difficultymoderatehardmoderate
Complexity3/54/54/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Needs a WebGPU-capable browser and a one-time multi-hundred-MB local model download.

In plain English

mobsf-fail is a small web app that helps mobile-app security testers cut down the noise in their reports. MobSF, short for Mobile Security Framework, is a popular open-source scanner for Android apps, and it is known for producing very long lists of findings, often 100 to 300 per scan, of which many are not real issues. This app reads a MobSF report and marks each finding with how likely it is to be a false positive, so a human only has to look closely at the few that actually matter. The app runs entirely in the user's browser. A MobSF report can be dropped in as JSON, PDF, or HTML. JSON gives the best results because it carries file paths, line numbers, and standard tags, PDF and HTML still work but lose some of those details. Each finding is then sent to a language model that also runs inside the browser through a library called WebLLM, using the user's own GPU. No file, no finding, and no metadata ever leaves the computer. The only remote requests are the initial app load and a one-time download of the model weights. For each finding the model produces a score from 0 to 100, a verdict, and a short reason. The author wrote category-specific prompts that encode the judgement a senior mobile pentester would apply: a 'hardcoded API key' might be a public Stripe key that is meant to ship in the app, an 'exported activity' might be the launcher screen, a 'cleartext traffic' warning might be scoped to the Android emulator address only. The prompts live in src/lib/prompts and the author calls them the real product value, with the language model being just the layer that applies them. Two files come out at the end. A Markdown draft of a pentest report contains only the confirmed findings and the ones that still need review, ready to convert to PDF or DOCX. A CSV table covers every finding with its verdict and reasoning, for spreadsheet review or import into a vulnerability tracker. The README is clear about limits: the tool is not a scanner, it only operates on findings that MobSF has already produced, and it is not a replacement for human review. Running it needs a browser with WebGPU, such as Chrome, Edge, Brave, Opera, or Safari 18 and newer.

Copy-paste prompts

Prompt 1
Walk me through cloning mobsf-fail-app, running it locally with npm, and dropping the sample MobSF report through it
Prompt 2
Help me write a new category prompt in src/lib/prompts for tracker findings, using the secrets prompt as a template
Prompt 3
Edit vite.config.ts and the GitHub Actions workflow so I can deploy my own fork to Pages under a different repo name
Prompt 4
Adapt the parser in src/lib/parsers to handle a MobSF v4.5 JSON field that the current code misses

Frequently asked questions

What is mobsf-fail-app?

Browser app that takes a MobSF mobile-app scan report and uses a local in-browser LLM to flag which findings are likely false positives, then exports a clean Markdown or CSV.

What language is mobsf-fail-app written in?

Mainly TypeScript. The stack also includes TypeScript, Vite, WebLLM.

How hard is mobsf-fail-app to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is mobsf-fail-app for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.