akashcli

v3.0.0 suspicious
6.0
Medium Risk

Enterprise Developer SDK and CLI for Akash Vault

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package has a moderate risk score due to potential shell injection risks and lack of maintainer history. Further investigation is required.

  • High shell risk due to execution of external commands without proper sanitization.
  • New package with no maintainer history and missing author information.
Per-check LLM notes
  • Network: The network calls are typical for an API interaction, but the base_url should be reviewed to ensure it is not a malicious endpoint.
  • Shell: Executing external commands like VLC can pose a risk if the input is not sanitized, potentially leading to command injection vulnerabilities.
  • Obfuscation: No obfuscation patterns detected, indicating low risk.
  • Credentials: No credential harvesting patterns detected, indicating low risk.
  • Metadata: The package is newly uploaded with no maintainer history and lacks an author name, raising suspicion.

🔬 Heuristic Checks

Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • try: with httpx.Client(base_url=api_url, timeout=10.0) as client: r
  • lient() try: with httpx.Client(base_url=client.base_url) as c: resp = c.get(f"/
  • lf) -> UserInfo: with httpx.Client(base_url=self.base_url) as client: resp = client
  • xpiry) } with httpx.Client(base_url=self.base_url, timeout=None) as client:
  • List[FileInfo]: with httpx.Client(base_url=self.base_url) as client: resp = client
  • elf, code: str): with httpx.Client(base_url=self.base_url) as client: client.delete
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 2.0

Found 1 shell execution pattern(s)

  • VLC for: {code}") subprocess.Popen(['vlc', url], stdout=subprocess.DEVNULL, stderr=subprocess.S
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 10.0

5 maintainer concern(s) found

  • Only one version has ever been released — brand new package
  • Package uploaded less than 24 hours ago (2026-06-04T18:14:04.000Z)
  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)