kigit

v0.0.1 suspicious
4.0
Medium Risk

KiCad-semantics aware git diff and git status CLI tool

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package has a moderate risk score due to potential unnecessary shell executions and a lack of detailed metadata. While it does not exhibit signs of immediate malicious intent, further scrutiny is warranted.

  • Shell risk detected, though contextually plausible
  • Minimal metadata and no associated GitHub repo
Per-check LLM notes
  • Network: No network calls detected, which is normal and not indicative of malicious activity.
  • Shell: The detected shell execution patterns are likely related to Git operations and Kicad-cli version checks, which seem aligned with the package's probable functionality but should be reviewed for necessity and context.
  • Obfuscation: No obfuscation patterns detected, indicating low risk.
  • Credentials: No credential harvesting patterns detected, indicating low risk.
  • Metadata: The package is newly created with minimal information and no associated GitHub repository, raising concerns about its legitimacy.

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 8.0

Found 4 shell execution pattern(s)

  • st_ok=True) try: subprocess.run( [ "kicad-cli",
  • ME try: result = subprocess.run( ["git", "show", f"{ref}:{Path(file_path).as_pos
  • t() -> bool: try: subprocess.run( ["git", "--version"], capture_outpu
  • d() -> bool: try: subprocess.run( ["kicad-cli", "--version"], capture
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 10.0

5 maintainer concern(s) found

  • Only one version has ever been released — brand new package
  • Package uploaded less than 24 hours ago (2026-06-05T00:01:05.000Z)
  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)