{ "slug": "mobile-mcp", "tool_id": "npm/@mobilenext/mobile-mcp", "verdict_url": "/verdict/mobile-mcp", "verdict_content_hash": "sha256:e73da4bf33764a39b925837a1868bfe21dd8d0cdfb3d80f4bf5d25c1812f7a4c", "version": "0.0.59", "commit": "9008f712891b39c751dfc1f5a39f1368d1e38a5f", "dist_shasum": "0ca03397acbc7bff6897162c8ec65d6ce32b2bd6", "scanned_at": "2026-06-13T00:00:00Z", "capture_self_test": "verified — a beacon decoy was emitted from the tool's network context; its presence in the intercept means a 'no egress' result would have been trustworthy.", "method": "Installed and run in an isolated container; fed traceable decoy data; all outbound traffic intercepted (TLS broken via own CA, iptables transparent redirect). Endpoints, resolved geo/jurisdiction and frequency are observed facts. Capture self-test passed.", "request_count": 21, "captured_requests": [ { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "269" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"launch\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "350" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_invoked\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_list_available_devices\",\"Duration\":50},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "343" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_click_on_screen_at_coordinates\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "322" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_list_apps\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "323" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_launch_app\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "326" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_terminate_app\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "324" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_install_app\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "336" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_list_elements_on_screen\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "335" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_start_screen_recording\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "334" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_stop_screen_recording\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "326" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_uninstall_app\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "328" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_get_screen_size\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "333" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_double_tap_on_screen\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "348" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_long_press_on_screen_at_coordinates\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "325" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_press_button\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "321" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_open_url\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "322" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_type_keys\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "328" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_save_screenshot\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "328" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_get_orientation\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "325" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_list_crashes\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "us.i.posthog.com", "path": "/i/v0/e/", "headers": { "host": "us.i.posthog.com", "connection": "keep-alive", "Content-Type": "application/json", "accept": "*/*", "accept-language": "*", "sec-fetch-mode": "cors", "user-agent": "node", "accept-encoding": "br, gzip, deflate", "content-length": "322" }, "body_redacted": "{\"api_key\":\"phc_KHRTZmkD…\",\"event\":\"tool_failed\",\"properties\":{\"Platform\":\"linux\",\"Product\":\"mobile-mcp\",\"Version\":\"0.0.59\",\"NodeVersion\":\"v20.20.2\",\"CI\":\"0\",\"AgentName\":\"mcp\",\"ToolName\":\"mobile_get_crash\"},\"distinct_id\":\"b204fade01d6…\"}", "blocked": true, "tls_inspected": true } ], "reproduce": { "scanner": "canary-sandbox (open methodology; Docker backend)", "command": "python -m canary.cli scan --backend docker # target: npm @mobilenext/mobile-mcp@0.0.59", "note": "Re-run it yourself: the scanner installs the pinned version, drives the tool over MCP, and intercepts all egress." }, "note": "Raw captured outbound requests from one sandbox run (identifiers/keys redacted). This is the underlying observation behind the verdict — re-run the scan to verify.", "verification": "verdict_content_hash = sha256 over the canonical verdict JSON; dist_shasum = the npm tarball checksum of the pinned version. Signed artifacts + an append-only immutable log are on the roadmap (toward independent verifiability).", "verdict_signature": "ed25519:DaE/9Sgfk6ZPvcEPKZO0aOJngmDN0QkooGE+RhPR8F+yNR86n06tWCJnN+z3uEvCaeVH1otpjKKSTRre4BzNCQ==" }