AI Analysis
Final verdict: SUSPICIOUS
The package shows potential signs of credential harvesting and has insecure metadata, raising suspicion about its integrity and intentions.
- High credential risk due to attempts to read sensitive system files.
- Insecure metadata with non-secure links and unclear maintainer history.
Per-check LLM notes
- Network: No network calls detected, which is normal unless the package relies on external services.
- Shell: Executing shell commands can be risky if not properly sanitized, but it may be intended functionality if 'start.py' is part of the package's design.
- Obfuscation: No obfuscation patterns detected in the provided code snippet.
- Credentials: The code snippet appears to be attempting to read and potentially misuse sensitive system files, indicating a high risk of credential harvesting.
- Metadata: The presence of non-secure links and lack of maintainer history raises concerns.
Heuristic Checks
Outbound Network Calls
No suspicious network call patterns found
Code Obfuscation
No obfuscation patterns detected
Shell / Subprocess Execution
score 2.0
Found 1 shell execution pattern(s)
rsion() -> None: result = subprocess.run( [sys.executable, "config/start.py", "version"],
Credential Harvesting
score 2.5
Found 1 credential access pattern(s)
adapter.list_artifacts("../../etc/passwd").to_dict() assert d["status"] == "error" assert d[
Typosquatting
No typosquatting candidates detected
Registered Email Domain
No author email provided
Suspicious Page Links
score 6.0
Found 3 suspicious link(s) on the package page
Non-HTTPS external link: http://127.0.0.1:8780Non-HTTPS external link: http://127.0.0.1:8780/Non-HTTPS external link: http://127.0.0.1:8780/health
Git Repository History
No GitHub repository linked
No GitHub repository link found
Maintainer History
score 10.0
5 maintainer concern(s) found
Only one version has ever been released — brand new packagePackage uploaded less than 24 hours ago (2026-06-04T18:12:29.000Z)Author name is missing or very shortAuthor "" appears to have only 1 package on PyPI (new or inactive account)Package has no PyPI classifiers (low effort / metadata quality)