AI Analysis
Final verdict: SUSPICIOUS
While the package shows no immediate signs of malicious activity, the metadata risks such as the recent upload time, lack of author information, and single-package account raise concerns about its legitimacy.
- Recent upload time
- Missing author information
- Single package account
Per-check LLM notes
- Network: The use of httpx.Client suggests network communication, which could be legitimate if the package is designed to interact with web services.
- Shell: No shell execution patterns were detected.
- Obfuscation: No obfuscation patterns detected, indicating low risk.
- Credentials: No credential harvesting patterns detected, indicating low risk.
- Metadata: The recent upload time, missing author information, and single package account suggest potential risk.
Heuristic Checks
Outbound Network Calls
score 1.5
Found 1 network call pattern(s)
sleep self._client = httpx.Client( base_url=base_url, timeout=timeou
Code Obfuscation
No obfuscation patterns detected
Shell / Subprocess Execution
No shell execution patterns detected
Credential Harvesting
No credential harvesting patterns detected
Typosquatting
No typosquatting candidates detected
Registered Email Domain
Email domain looks legitimate: rosenbound.com>
Suspicious Page Links
All external links appear legitimate
Git Repository History
No GitHub repository linked
No GitHub repository link found
Maintainer History
score 6.0
3 maintainer concern(s) found
Package uploaded less than 24 hours ago (2026-06-04T21:29:58.000Z)Author name is missing or very shortAuthor "" appears to have only 1 package on PyPI (new or inactive account)