ayechat-dev

v0.48.1.20260607162839 suspicious
5.0
Medium Risk

Aye Chat: Terminal-first AI Code Generator

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package shows signs of potential misuse through network and shell risks, although the obfuscation and credential risks are relatively low. Further investigation into its network activities and the necessity of shell command usage is required.

  • High shell risk due to use of clipboard-related shell commands
  • Network risk present but needs further verification
Per-check LLM notes
  • Network: Network calls to external URLs are common but need verification of their purpose to ensure they are legitimate.
  • Shell: Use of shell commands like xclip and wl-paste suggests clipboard interaction which may be unexpected and could indicate potential data exfiltration activities.
  • Obfuscation: The observed obfuscation is minimal and could be used to hide code structure, but does not strongly indicate malicious intent.
  • Credentials: No suspicious patterns related to credential harvesting were detected.
  • Metadata: Low risk but requires further investigation due to incomplete author information and lack of PyPI classifiers.

📦 Package Quality Overall: Low (4.6/10)

○ Low Test Suite 1.0

No test suite detected

  • No test files or test-runner configuration detected
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (7347 chars)
○ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 394 type-annotated function signatures detected in source
✦ High Multiple Contributors 10.0

Active multi-contributor project

  • 6 unique contributor(s) across 100 commits in acrotron/aye-chat
  • Active community — 5 or more distinct contributors

🔬 Heuristic Checks

Outbound Network Calls score 6.0

Found 4 network call pattern(s)

  • ify = _ssl_verify() with httpx.Client(timeout=TIMEOUT, verify=verify) as client: resp = cl
  • ast_status}") r = httpx.get(response_url, timeout=TIMEOUT, verify=verify) la
  • rify() try: with httpx.Client(timeout=10.0, verify=verify) as client: resp = c
  • " try: response = httpx.get( "https://pypi.org/pypi/ayechat/json",
Code Obfuscation score 2.0

Found 1 obfuscation pattern(s)

  • self._progress_lock = __import__('threading').Lock() def execute_coarse_phase(self, file_list: L
Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • s (vim, top, etc.) go through os.system() and return # {"message": ..., "exit_code": ...} -- not
  • try: exit_code = os.system(full_cmd_str) actual_exit_code = exit_code >> 8
  • """ try: result = subprocess.run( ["wl-paste", "--type", "image/png"],
  • """ try: result = subprocess.run( ["xclip", "-selection", "clipboard", "-t", "ima
  • p"): try: subprocess.run( [cmd, "--version"], capture
  • """ try: result = subprocess.run( ["git", "rev-parse", "--show-toplevel"],
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: acrotron.com>

Suspicious Page Links

All external links appear legitimate

Git Repository History

Repository acrotron/aye-chat appears legitimate

Maintainer History score 6.0

3 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with ayechat-dev 
Build a simple Python application using the ayechat-dev package to demonstrate its core features.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!