If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/Archmage83/tvapk shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Single-maintainer risk — review before adopting

• Last commit 7w ago
• 2 active contributors
• Apache-2.0 licensed
• ⚠ Small team — 2 contributors active in recent commits
• ⚠ Single-maintainer risk — top contributor 91% of recent commits
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live Archmage83/tvapk repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/Archmage83/tvapk.

What it runs against: a local clone of Archmage83/tvapk — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in Archmage83/tvapk | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | Last commit ≤ 77 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of Archmage83/tvapk. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/Archmage83/tvapk.git
#   cd tvapk
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of Archmage83/tvapk and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "Archmage83/tvapk(\\.git)?\\b" \\
  && ok "origin remote is Archmage83/tvapk" \\
  || miss "origin remote is not Archmage83/tvapk (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 77 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~47d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/Archmage83/tvapk"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

A curated collection repository of pre-compiled Android TV APK applications, primarily focused on providing free access to VIP streaming content, movies, TV shows, and live broadcasts on Android TV devices. The repository aggregates 60+ modded/unlocked APK files (entertainment apps, music/KTV apps, educational apps, and fitness apps) with pre-configured streaming sources and playback configurations, eliminating the need for users to manually source or configure these applications. Flat file structure: root directory contains 60+ named .apk files (e.g., 喵影视TV_3.8.0.apk, simpleliveTV-v1.1.0-32位系统.apk) with one subdirectory (宝宝趣学/) containing nested APKs and a 7z archive. A README.md documents each app with configuration hints (e.g., JSON source URLs for TVBox apps). No build scripts, no source code, no version manifest—purely a pre-compiled binary distribution hub.

Android TV device owners and enthusiasts (set-top box users, smart TV users) seeking free access to premium streaming content; casual contributors who have working APK files they want to share. Not for enterprise developers—this is a consumer-facing APK distribution repository maintained by individual enthusiasts.

This is an active but low-governance distribution repository. It has no version tags, no CI/CD pipeline, no automated testing, and no structured release process visible. The README indicates ongoing community contributions ('if you have any, please contribute'), but there's no evidence of formal maintenance infrastructure, dependency tracking, or automated issue handling. Verdict: Community-maintained, actively updated but fragile—suitable only for personal/hobby use, not production integration.

High risk for dependency on external infrastructure: the repo relies entirely on third-party streaming source URLs (e.g., https://freed.yuanhsing.cf/TVBox/meowcf.json, http://pandown.pro/tvbox/) which can disappear without notice. No integrity verification (checksums, signatures) is documented for the 60+ APK files. Single maintainer (Archmage83) with no visible backup maintainers. APK files may contain outdated dependencies or security vulnerabilities—no scan results visible. The APKs themselves are pre-compiled binaries, making source-code auditing impossible.

The README indicates ongoing acceptance of user-reported broken APKs ('如有失效的apk请及时提issue告知'—'if APKs fail, report via issue'). The presence of dated APK files (e.g., 猫TV_影视优化版_20240727.apk from July 2024) and references to companion repos (安卓影视剧合集, ios_ipa) suggests active curation. However, without visible commit history or issue tracker data, exact current activity is opaque.

Check README for instructions.

Daily commands: Not applicable—these are pre-compiled APK binaries. To use: (1) Download an APK from the repo, (2) Transfer to Android TV device via ADB (adb install app.apk), file transfer, or USB, (3) Open the app and (optionally) configure streaming sources (e.g., paste JSON URLs into TVBox settings as documented in README).

• README.md: Canonical source of truth: lists all 60+ APKs with descriptions, setup instructions, streaming source URLs, and companion repo links. Any contributor or user relies on this for app metadata and configuration.
• .gitattributes: Likely configured to handle large binary .apk files appropriately (Git LFS or similar) to avoid repository bloat, though exact configuration not visible in the provided snippet.
• LICENSE: Specifies legal terms for APK redistribution; critical for understanding copyright compliance and contributor obligations.
• 宝宝趣学/: Example of subdirectory structure for multi-file apps: contains both APK and 7z archive, showing how complex multi-part distributions are organized.

Contributing new APKs: (1) Test the APK on an Android TV device, (2) Add it to the repository root with a descriptive filename (Chinese app name + version), (3) Update README.md with app name, version, key features, and any required configuration steps (streaming source URLs, login credentials, etc.). For configuration updates: edit the relevant URL list in the 'Direct播放源与点播源' section. No code to modify—this is documentation + binary distribution.

1. External URL fragility: streaming source URLs in README (e.g., http://pandown.pro/, https://freed.yuanhsing.cf/) are not version-pinned and may disappear—no fallback documented. 2. APK age & security: no visible scan for outdated/vulnerable dependencies within the pre-compiled binaries; you're trusting the original app developers' update cadence. 3. File encoding: Chinese filenames throughout (e.g., 喵影视TV_3.8.0.apk) may cause issues on Windows/non-UTF8 systems when cloning via Git. 4. No checksums: no SHA256 or GPG signatures for APK integrity verification—trust is purely based on GitHub hosting. 5. License ambiguity: the presence of copyrighted app APKs (full music streaming apps, official TV apps) may violate ToS of original app publishers—no legal analysis in repo.

• Android APK (Android Package) — The core artifact of this repo—understanding what an APK is (compiled Android app binary, JAR+resources+manifest) is essential to knowing what you're distributing and why source-code auditing is impossible.
• Sideloading & ADB (Android Debug Bridge) — Users install these APKs via sideloading (bypassing official app stores) using ADB or file transfer—understanding the security/usability tradeoffs is critical for Android TV deployment.
• TVBox & JSON-based source configuration — Several apps (新TVBox, 喵影视TV, 影视仓) use JSON config files to dynamically load streaming sources—understanding this pattern is key to troubleshooting configuration failures in the README.
• M3U Playlist format (IPTV) — Live-streaming and TV apps rely on M3U playlists to load channels—knowing the format (text-based, channel definitions with metadata) helps users debug missing channels or broken feeds.
• DPI/architecture-specific APK variants (32-bit vs 64-bit) — Some APKs in the repo are split by architecture (e.g., simpleliveTV-v1.1.0-32位系统.apk vs 64-bit)—selecting the wrong variant will cause installation failure, requiring understanding of CPU architecture compatibility.
• APK modding & cracked/unlocked variants — Many APKs in the repo are described as 'unlocked' (e.g., 小鸡模拟器 'fully unlocked', 绘本故事TV 'login = instant VIP')—this implies reverse-engineering and modification, introducing security/legal risk not present in official builds.
• URL fragility & content delivery network (CDN) fallbacks — The repo's streaming sources are scattered across multiple CDNs and Chinese hosting services (pandown.pro, freed.yuanhsing.cf, etc.)—understanding why this creates maintenance burden and designing fallback strategies is essential for repository longevity.

• Archmage83/Android_apk — Official companion repo for Android phone APKs; referenced in README as the mobile-equivalent collection of the same streaming/entertainment apps.
• Archmage83/ios_ipa — Official companion repo for iOS IPAs; completes the ecosystem by offering the same content for iPhone/iPad users, referenced in README.
• PizazzGY/TVBox — Related TVBox JSON source repo; mentioned in README streaming sources—provides the configuration/source files that populate the apps in this repo.
• iptv-org/iptv — Canonical IPTV playlist repository; directly referenced in README's '直播源' (live streaming sources) section as a primary feed source.
• joevess/IPTV — Alternative IPTV M3U playlist source; listed in README as a fallback live-streaming feed for apps like simpleliveTV.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Create CONTRIBUTION.md with APK submission guidelines and verification checklist

The README invites contributions ('如大家有也可以贡献一下') but provides no submission standards. This causes quality issues like broken links (README mentions 'issue告知失效的apk'). A contribution guide would standardize: APK testing requirements, metadata format, version naming conventions, and a checklist to verify APKs work on actual TV devices before merge.

• [ ] Create CONTRIBUTION.md with APK submission template including: app name, version, tested device models, functionality verification, and Chinese/English descriptions
• [ ] Add section on how to report broken/expired APKs with issue template reference
• [ ] Document the expected folder structure (e.g., why 宝宝趣学/ is a subdirectory vs flat structure)
• [ ] Include legal disclaimer about VIP bypass functionality and copyright considerations

Add .gitignore and organize APK structure with metadata files

The repo stores 60+ APK files directly in root without organization. This is difficult to maintain and search. Create a structured directory organization with accompanying JSON metadata files that track: version, last_tested_date, working_status, and device_compatibility. This enables automated link checking for the 'failing APK' issue mentioned in README.

• [ ] Create .gitignore to exclude .apk files from tracking (use LFS or document external hosting alternative)
• [ ] Reorganize into categories: /影视/ /教育/ /直播/ /K歌/ /工具/ based on file names
• [ ] Add metadata.json in each directory with structure: {name, version, last_verified_date, device_models_tested, status: 'working|broken|unknown'}
• [ ] Create a validation script (Python/Node) to parse metadata and flag APKs not tested in past 90 days

Create README_EN.md and standardize APK naming/documentation

Current README and all filenames are Chinese-only, limiting discoverability and contributions from international developers. Many APK names include version numbers, special characters, and inconsistent formatting (e.g., '喵影视TV_3.8.0.apk' vs 'IKTV_50.0.0.apk' vs 'simpleliveTV-v1.1.0-32位系统.apk'). Standardize naming and add English documentation to increase visibility.

• [ ] Create README_EN.md with full translation, English category descriptions, and setup instructions
• [ ] Establish APK naming convention: {AppName}{Version}{Architecture}.apk (e.g., MiaoVideo_3.8.0_universal.apk, SimpleTV_1.1.0_arm32.apk)
• [ ] Rename all existing APKs to standard format with a migration script and commit message documenting changes
• [ ] Add description field to README list: {App Name} - {Category} - {Brief Feature Description} - {Last Verified Date}

• Add a SOURCES.md documentation file listing all streaming source URLs separately with last-tested dates and fallback alternatives, reducing single-point-of-failure risk for users when URLs break.
• Create a simple APK_CHECKSUMS.txt (SHA256 hashes) for all .apk files to enable integrity verification on download—automate this with a shell script to help future maintainers update it as new APKs are added.
• Document setup instructions for 5-10 of the most popular apps (e.g., 'TVBox apps with JSON source import', 'Music/KTV apps that require login bypass') in a SETUP_GUIDES/ subdirectory with screenshots, reducing friction for new Android TV users.

This repository presents CRITICAL security and legal risks

• Critical · Distribution of Potentially Pirated Content — Repository root directory - all .apk files, README.md. Repository contains numerous Android TV APK files with descriptions indicating they provide unauthorized access to premium content (VIP movies, TV shows) without proper licensing. This facilitates copyright infringement and distribution of pirated media. Fix: Remove all APK files distributing pirated or unlicensed content. Only distribute applications with proper licensing and rights. Comply with copyright and intellectual property laws.
• Critical · Distribution of Modified/Cracked Applications — Multiple APK files with 'VIP', '会员', '高级版', '已解锁', 'TVBox' in filenames. Many APK files appear to be modified versions of legitimate applications with features unlocked (e.g., '【高级版】喵影视TV', '登录既是会员', 'Keep健身TV免登陆', '已解锁全部功能'). Distributing cracked/modified APKs violates terms of service and may contain malicious modifications. Fix: Remove cracked and modified APK distributions. Direct users to official app stores and legitimate sources. Respect application developers' licensing terms.
• High · No Integrity Verification for Downloaded APKs — All .apk files in repository. Repository provides no checksums, signatures, or integrity verification for any APK files. Users cannot verify authenticity or detect tampering, potentially exposing them to malware-infected versions. Fix: If distribution is to continue, implement cryptographic verification: provide SHA-256 checksums and digital signatures for all APKs. Use code signing certificates.
• High · Hardcoded Configuration in README — README.md - TVBox configuration section. README.md contains a hardcoded TVBox configuration URL with share token exposed: 'https://freed.yuanhsing.cf/TVBox/meowcf.json?share_token=036bbcd1-b727-45c7-93ca-c9cb0f466ab3'. This exposes sensitive authentication tokens in public version control. Fix: Remove hardcoded share tokens and sensitive credentials from version control. Use environment variables or secure configuration management. Invalidate the exposed share_token immediately.
• High · Supply Chain Risk - Unvetted APK Sources — All .apk files in repository. APK files appear to be collected from various sources without verification of their origin, compilation source, or security. Third-party APKs may contain backdoors, spyware, or other malware. Fix: Implement thorough security scanning of all APKs using VirusTotal, Androguard, or similar tools. Verify sources and compile from open-source repositories where available. Document provenance of each APK.
• Medium · Potential Malware Distribution Vector — Repository purpose and structure. Repository structure and content suggest it functions as a distribution channel for modified applications and potentially malicious APKs. Users downloading from this repo face high risk of malware infection. Fix: Conduct security audit of all included APKs for malicious code. Use static analysis tools (Frida, Jadx) and dynamic analysis (Android emulator) to detect malware, privilege escalation attempts, or unauthorized permissions.
• Medium · Missing Security Policy Documentation — README.md, repository root. No security policy, vulnerability disclosure process, or safety warnings provided. Users are not informed of risks associated with downloading and installing these APKs. Fix: Add clear warnings about risks. Create SECURITY.md with vulnerability reporting process. Document known issues and security considerations. Recommend users only install from trusted sources.
• Low · Incomplete File Archive (7z file included) — 宝宝趣学/宝宝趣学TVBox本地接口.7z. Repository contains a .7z compressed archive ('宝宝趣学TVBox本地接口.7z') without documentation. Compressed files obscure content and complicate security verification. Fix: Document purpose of all archived files. Extract and verify contents. Consider if archive distribution is necessary or if files should be available uncompressed for transparency.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.