Onboarding: youhunwl/TVAPP

Generated by RepoPilot · 2026-05-06 · Source

Agent protocol

If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/youhunwl/TVAPP shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

Verdict

WAIT — Solo project — review before adopting

• Last commit 3d ago
• Apache-2.0 licensed
• ⚠ Solo or near-solo (1 contributor active in recent commits)
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

Verify before trusting

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live youhunwl/TVAPP repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/youhunwl/TVAPP.

What it runs against: a local clone of youhunwl/TVAPP — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in youhunwl/TVAPP | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | Last commit ≤ 33 days ago | Catches sudden abandonment since generation |

<details> <summary><b>Run all checks</b> — paste this script from inside your clone of <code>youhunwl/TVAPP</code></summary>

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of youhunwl/TVAPP. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/youhunwl/TVAPP.git
#   cd TVAPP
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of youhunwl/TVAPP and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "youhunwl/TVAPP(\\.git)?\\b" \\
  && ok "origin remote is youhunwl/TVAPP" \\
  || miss "origin remote is not youhunwl/TVAPP (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 33 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~3d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/youhunwl/TVAPP"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

</details>

TL;DR

TVAPP is an Android TV APK repository and resource aggregator that curates TV applications (影视盒子, TVBox, 影视仓, etc.) with built-in m3u8 playlist support and interface source configurations for streaming, karaoke, games, and tools. It solves the fragmented discovery problem for TV box users by centralizing vetted APKs, providing version tracking, compatibility notes, and pre-configured media sources (直播源) for popular TV box shells. Flat hierarchical structure: root contains K歌/, TVBox/, 影视/ directories with raw APK files and minimal markdown documentation; TVBox/ subdirectory has 10+ variants (takagen99, q215613905 forks) with arch-specific builds (arm64-generic, armeabi-hisense, java/python versions); no code modules—purely file-based asset distribution with centralized README.md as the index and routing layer.

Who it's for

Android TV / TV box users who need curated, pre-tested applications with working configurations; repository maintainers and developers building TV box shells (TVBox derivations, 影视仓 forks); community contributors sharing updated APKs and m3u8 playlist sources for Chinese streaming services.

Maturity & risk

Early-stage active collection repo: minimal JavaScript scaffolding (12KB), primary value is organized file structure + README documentation rather than code. No apparent CI/testing infrastructure. The repo shows active community contributions (multiple APK versions per app, frequent version bumps like TVBox 20260227) but lacks formalized release process or automated testing—appears volunteer-maintained.

Single maintainer (youhunwl) with no visible backup; legal/licensing risk inherent to APK redistribution and bypass tools (some APKs appear to be modified/cracked versions with 'VIP解锁' tags suggesting license circumvention); no version audit trail or integrity checks (MD5/GPG signatures absent); dependency on external media sources (m3u8 playlists, interface URLs) that may break without notice; GitHub could remove repository if copyright claims arise.

Active areas of work

Active APK version tracking: recent additions show TVBox takagen99 20260227 build (current as of Feb 2026), 月光宝盒 updated to 20260119, karaoke apps updated to 2.18.x builds. Community appears to be testing TV box shell stability and documenting interface source URLs. No formal changelog or release branch visible—updates appear ad-hoc as PRs merge.

Get running

This is a file distribution repo, not a code project. To use:

git clone https://github.com/youhunwl/TVAPP.git
cd TVAPP
# Browse README.md for download links
# Download APKs via GitHub raw links or install via ADB:
adb install -r './TVBox/TVBox_takagen99_20260227-1116-arm64-generic-java.apk'

No build steps required—this is a curated package repository.

Daily commands: Not applicable—this is not an executable project. To use the applications:

1. Clone the repo locally or fetch raw APK URLs
2. Copy APKs to Android TV device via:
   • adb push <apk-path> /sdcard/Download/
   • adb shell pm install /sdcard/Download/<apk-name>
3. Configure interface sources in app settings (paste m3u8 URLs or API endpoints from README)
4. Launch app from TV launcher

Map of the codebase

• README.md: Central index: contains version table, download links, interface source configurations (接口源), and live streaming source references (直播源) that users depend on to configure TV box applications
• TVBox/: Flagship app directory: holds 10+ TVBox shell variants (takagen99, q215613905 forks, multiple architectures arm64/armeabi, java/python versions) representing the core product differentiation
• 影视/: Largest feature set: contains 影视仓 (the primary all-in-one streaming shell), FongMi影视, OK影视, 月光宝盒 variants—these are the most-documented and frequently updated apps
• K歌/: Specialized category: karaoke applications (20+ variants) showing breadth of content; demonstrates repo's role in aggregating app-type-specific collections beyond just streaming
• TVBox/README.md: Detailed variant guide: documents differences between architecture builds (arm64-generic, armeabi-hisense) and language variants (java vs python)—critical for end-user selection
• LICENSE: Legal boundary: MIT license declaration limiting liability; important given repo's distribution of modified/repackaged APKs

How to make changes

To contribute:

• Add new APK: Place in appropriate subdirectory (K歌/, 影视/, 娱乐应用/, etc.), update root README.md table with version, download link, status emoji (🟢/🟡/🔴), and notes
• Fix broken links: Edit README.md download hrefs (GitHub raw URLs follow pattern: https://github.com/youhunwl/TVAPP/raw/refs/heads/main/<path>)
• Update interface sources: Add/edit m3u8 URLs and JSON endpoints in README sections labeled '接口源' or '直播源'
• Add version notes: Create or update README.md files in subdirectories (e.g., TVBox/README.md explains arch variants)
• Report issues: Use GitHub Issues to flag dead links or incompatible APK versions

Traps & gotchas

Critical gotchas: (1) APK versions are snapshots—no automatic update mechanism; users must manually re-download and re-install when new versions appear. (2) Interface source URLs (接口源) in README are community-maintained and frequently break; there is no fallback or validation. (3) Some APK filenames indicate modified/cracked versions (e.g., 'VIP解锁', '会员版', '破解版')—installing these may trigger licensing issues or security warnings on some TV boxes. (4) TVBox shell variants have hard dependencies on arch-specific builds (arm64 vs armeabi); installing wrong arch will fail silently or crash. (5) No integrity verification (MD5/GPG)—risk of supply-chain poisoning if GitHub account compromised. (6) Chinese-language-only documentation; non-native speakers may miss critical setup steps in README notes.

Concepts to learn

• m3u8 Playlist Format — TVAPP users depend on m3u8 URLs for live streaming sources (直播源) and VOD playlist integration; understanding playlist structure (extinf tags, codec specs, bandwidth attributes) helps diagnose why channels fail to load
• Android TV Architecture Variants (ARM, ARMv8, x86) — TVBox distributions in this repo ship arch-specific builds (arm64-generic vs armeabi-hisense); mismatched architecture causes silent installation failures—understanding CPU instruction sets is critical for correct APK selection
• APK Signing and Certificate Pinning — Some APKs in this repo are repackaged/modified versions that may have had signatures altered; understanding Android's signature verification and potential bootleg APK risks helps users avoid security compromises
• Media Source Interface Protocols (JSON/XML API vs Playlist) — TV box shells like 影视仓 support multiple source format standards (some use JSON API endpoints, others parse m3u8 playlists); knowing which protocol a source uses helps diagnose configuration errors
• Android Version Compatibility and Fragment APIs — TVAPP notes specify Android version support (e.g., '安卓6.0及以上', '兼容安卓4.4以下'); API level changes affect UI framework calls and media codec availability—critical for app selection on older TV boxes
• IPTV/Live Streaming Source Aggregation — The core function of this repo is curating apps + providing 接口源 (interface sources) that aggregate IPTV channel lists and streaming endpoints; understanding how sources are discovered, validated, and combined is key to contributing meaningful updates
• GitHub Raw Content Delivery and Link Stability — All APK download links use github.com/youhunwl/TVAPP/raw/refs/heads/main/... pattern; changes to GitHub branch policy or account suspension break all links—understanding raw content delivery lifecycle is essential for maintaining link health

Related repos

• takagen99/TVBox — Direct upstream fork whose builds (takagen99_20260227) are packaged in this repo; understanding the TVBox engine source is essential for troubleshooting and configuring interface sources
• q215613905/TVBox — Alternative TVBox fork also distributed here; represents competing architectural choices (Python vs Java engine) that affect performance and plugin compatibility
• liu673cn/box — Companion interface source repository; provides the m3u8 playlists and API endpoint configurations that TVAPP users reference to populate their TV box shells
• PetterLiu/TVBox — Historical TVBox reference implementation; understanding the original architecture helps explain why modern forks (takagen99, q215613905) diverged into arch-specific and language-specific variants
• nilaoda/go-chuck — Media source indexing tool used by some TV box shells to scrape and aggregate streaming URLs; relevant for understanding how 接口源 data pipelines work

PR ideas

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Create comprehensive VERSION_COMPATIBILITY.md documenting app compatibility matrix

The repo contains many APK files across K歌, 娱乐应用, 实用工具, and TVBox categories with varying versions, but lacks a structured compatibility guide. Contributors could create a detailed markdown file mapping each app to: minimum Android version, TV box compatibility (generic/Hisense), architecture support (arm64/armeabi), and known issues. This directly addresses the README's mention of 'compatibility annotations' (兼容性标注) that aren't yet formalized.

• [ ] Create VERSION_COMPATIBILITY.md in root directory
• [ ] Add compatibility matrix table for all K歌 apps (currently 20+ versions listed)
• [ ] Add compatibility matrix for 娱乐应用 apps with TVBox/TV-specific notes
• [ ] Reference the existing TVBox variants (q215613905, takagen99 with different architectures) to show arch-specific compatibility
• [ ] Include known issues column linking to relevant GitHub issues

Add SECURITY_VERIFICATION.md with APK validation procedures and checksums

The README claims 'security verification' (安全验证) as a key feature, but there's no documented verification process or checksums for the 50+ APK files in the repo. This is critical for a repo distributing pre-compiled binaries. A contributor should document and implement checksum validation.

• [ ] Create SECURITY_VERIFICATION.md documenting security practices
• [ ] Generate SHA256 checksums for all APK files in K歌/, 娱乐应用/, 实用工具/ directories
• [ ] Create a checksums.txt file in each subdirectory with format: 'filename sha256hash'
• [ ] Document how users can verify downloaded APKs using provided checksums
• [ ] Add a GitHub Actions workflow (.github/workflows/generate-checksums.yml) to auto-generate checksums on commits

Organize and standardize the interface sources (接口源) with structured JSON configuration

The README references '接口源' (interface/source configuration) multiple times as a key feature for TVBox and 影视仓 apps, but no actual configuration file or structured data exists in the repo. The current structure lacks the promised 'interface source collection'. Creating a standardized config would directly enable the primary use case.

• [ ] Create config/ directory with sources.json following TVBox standard format
• [ ] Add documented examples for each source type: TV播放源 (live), 点播源 (VOD), and 直播源 (streaming)
• [ ] Create SOURCES_README.md explaining how to contribute new sources with validation rules
• [ ] Add source validation script (config/validate-sources.js) to check JSON syntax and URL accessibility
• [ ] Link from main README to config/SOURCES_README.md with contribution guidelines

Good first issues

• Add MD5 checksums for all APKs: Create a checksums.md file listing MD5 hashes for each APK to allow users to verify download integrity and detect corrupted files. Scan existing APKs in K歌/, TVBox/, 影视/ and document hashes.
• Document interface source URLs with freshness status: Create a new SOURCES.md file that lists all m3u8 playlists and API endpoints mentioned in README.md with last-tested dates and status (✓ working / ✗ dead / ⏱️ untested). Crowdsource testing via issues.
• Add architecture compatibility matrix: Build a compatibility table in TVBox/README.md showing which TVBox variant (takagen99 arm64-generic, q215613905 armeabi, etc.) works on specific TV box models/manufacturers—currently users guess by trial-and-error.

Top contributors

• @youhunwl — 100 commits

Recent commits

• 7f7d792 — 更新FongMi影视v5.4.6 (youhunwl)
• 2c0698a — 更新FongMi影视v5.4.4 (youhunwl)
• acae014 — 更新宝盒TV 5.1.6 (youhunwl)
• 645d112 — 更新ES文件浏览器v4.4.3.6 (youhunwl)
• 9d7a281 — 更新ES文件浏览器v4.4.3.6 (youhunwl)
• 46cae2d — 更新音悦v3.2.5 (youhunwl)
• 62b2aee — 更新VsTV v1.9.19 (youhunwl)
• abfe670 — 更新VsTV v1.9.14 (youhunwl)
• 57e6501 — 更新FM影视内置共存版v5.4.2 (youhunwl)
• 7ee41a5 — 更新FongMi影视v5.4.2 (youhunwl)

Security observations

This repository presents severe security risks primarily due to distribution of potentially modified/cracked commercial applications without verification, integrity checking, or malware

• Critical · Distribution of Modified/Cracked APK Applications — K歌/, 娱乐应用/, 影视/, 实用工具/ directories. The repository contains numerous APK files with indicators of unauthorized modification including 'VIP版' (VIP versions), '破解版' (cracked versions), '会员版' (member versions), and '解锁' (unlocked) versions. This suggests distribution of pirated software and copyright infringement. Fix: Remove all modified/cracked APK files and only distribute original, unmodified applications from official sources. Implement proper licensing agreements.
• Critical · No Dependency Management or Verification — Root directory - all APK distributions. The repository provides raw APK files without any dependency manifest, package verification, or integrity checking mechanisms. Users cannot verify the authenticity or safety of downloaded applications. Fix: Implement cryptographic signatures (SHA-256 hashes) for all APK files. Provide checksums in a manifest file and document verification procedures for users.
• High · No Source Code Transparency — All .apk files. Repository distributes compiled APK binaries without source code or build information, making it impossible to audit for malware, privacy violations, or security issues within the applications. Fix: Provide links to official open-source repositories for applications where available. For closed-source apps, provide detailed security audits or official documentation.
• High · Unverified Third-Party Application Distribution — All directories containing APK files. The repository collects applications from 'various developers' (各路大神) without validation of their trustworthiness, potential malware risks, or security vulnerabilities. Users could download compromised applications. Fix: Implement application vetting procedures including malware scanning, permission audits, and developer verification before distribution.
• High · Missing Security Scanning and Malware Detection — K歌/, 娱乐应用/, 影视/, 实用工具/ directories. No evidence of automated security scanning (VirusTotal, MobSF, etc.) or malware detection integration for distributed APK files. Fix: Integrate automated scanning tools (VirusTotal API, MobSF, Quark Engine) for all APK submissions. Publish scan results with each application.
• High · Inadequate Licensing and Legal Disclaimers — README.md. While a basic disclaimer exists in README, it's insufficient for distribution of potentially modified commercial applications. No clear licensing structure or terms of service. Fix: Add comprehensive Terms of Service, Privacy Policy, and DMCA takedown procedures. Clarify liability limitations and user responsibilities.
• Medium · No Access Control or Usage Analytics — GitHub repository structure. Repository provides direct download links without tracking, rate limiting, or abuse prevention mechanisms. Could enable large-scale malware distribution. Fix: Implement download logging, rate limiting, and anomaly detection. Monitor for suspicious download patterns.
• Medium · Missing Security Update Mechanism — Repository documentation and APK files. While README mentions 'auto-update' capability, there's no evidence of secure update delivery, signature verification, or rollback procedures in the distribution mechanism. Fix: Implement secure update delivery using digital signatures. Document update verification procedures and maintain update history.
• Medium · No Vulnerability Disclosure Policy — README.md, repository settings. Repository lacks a responsible vulnerability disclosure policy or security contact information for reporting issues. Fix: Add SECURITY.md file with vulnerability reporting procedures, security contact email, and responsible disclosure timeline.
• Low · Incomplete Repository Metadata — Repository root. Missing CONTRIBUTING.md, CODE_OF_CONDUCT.md, and other standard security-related documentation. Fix: Add standard GitHub security files: SECURITY.md, CODEOWNERS, and pull request templates with security checklists.

LLM-derived; treat as a starting point, not a security audit.

Where to read next

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

---

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.