hermes-workflow

v0.1.3 suspicious
6.0
Medium Risk

Declarative multi-stage workflow primitive over the Hermes Kanban board.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package shows signs of potential obfuscation and has been recently uploaded by a maintainer with limited history, raising concerns about its legitimacy.

  • obfuscation risk due to base64 encoding
  • metadata risk due to recent creation and limited maintainer history
Per-check LLM notes
  • Network: No network calls detected, which is normal.
  • Shell: Git commands suggest the package interacts with local repositories, likely for version control purposes.
  • Obfuscation: The use of base64 encoding and decoding might indicate an attempt to obfuscate data, but it could also be used for legitimate purposes such as secure data transmission.
  • Credentials: No clear evidence of credential harvesting was found.
  • Metadata: The recent creation and upload of the package along with the maintainer's limited history suggest potential risk.

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation score 2.0

Found 1 obfuscation pattern(s)

  • : str): return json.loads(base64.b64decode(raw.encode("ascii"), validate=True).decode("utf-8")) @data
Shell / Subprocess Execution score 8.0

Found 4 shell execution pattern(s)

  • try: r = subprocess.run( [sys.executable, "-m", "hermes_workflow.pre
  • (repos)) try: r = subprocess.run(["git", "-C", repo, "rev-parse", "HEAD"],
  • ot user data. """ r = subprocess.run( ["git", "-C", workspace_dir, "status", "--porcelain
  • .CompletedProcess: return subprocess.run(args, check=True, capture_output=True, text=True) # tests/t
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History score 2.5

Git history flags: Repository created very recently: 0 day(s) ago (2026-06-04T19:46:52Z)

  • Repository created very recently: 0 day(s) ago (2026-06-04T19:46:52Z)
Maintainer History score 6.0

3 maintainer concern(s) found

  • Only one version has ever been released — brand new package
  • Package uploaded less than 24 hours ago (2026-06-04T22:53:18.000Z)
  • Author "Carlos Raphael" appears to have only 1 package on PyPI (new or inactive account)