sast

v0.1.1 suspicious
6.0
Medium Risk

sast — free, fast static application security testing for CI/CD. Installs a self-contained SAST engine (17+ languages, taint tracking, secrets, IaC, SCA; HTML/JSON/SARIF) on first run.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits medium to high risks due to potential network and shell execution behaviors. While there is no evidence of obfuscation or credential harvesting, the recent upload date and limited maintainer activity raise concerns about its legitimacy.

  • network risk
  • shell execution risk
  • metadata risk
Per-check LLM notes
  • Network: The network call pattern suggests the package may be making external requests, which could be for legitimate purposes like fetching updates or data, but warrants further investigation to ensure it's not engaging in unauthorized activities.
  • Shell: Executing shell commands without returning can indicate potential misuse, such as hiding command output or executing arbitrary code, suggesting a higher risk of malicious intent.
  • Obfuscation: No obfuscation patterns detected, indicating low risk.
  • Credentials: No credential harvesting patterns detected, indicating low risk.
  • Metadata: The package was uploaded recently and the maintainer has few packages, indicating potential risk.

🔬 Heuristic Checks

Outbound Network Calls score 3.0

Found 2 network call pattern(s)

  • es: import ssl req = urllib.request.Request(url, headers={"User-Agent": _USER_AGENT}) try:
  • AGENT}) try: with urllib.request.urlopen(req, timeout=120) as resp: # noqa: S310 (https only
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 2.0

Found 1 shell execution pattern(s)

  • never returns completed = subprocess.run([path, *args]) return completed.returncode def main(ar
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 4.0

2 maintainer concern(s) found

  • Package uploaded less than 24 hours ago (2026-06-04T18:09:50.000Z)
  • Author "CQR Cybersecurity LLC" appears to have only 1 package on PyPI (new or inactive account)