HomeCopy

v0.9.0 suspicious
6.0
Medium Risk

Installer CLI for building the HomeCopy desktop app from GitHub source.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits moderate risks, particularly concerning network calls and credential handling. While it does not definitively indicate malicious intent, the combination of signals suggests potential vulnerabilities that require caution.

  • moderate network risk
  • potential misuse of GITHUB_TOKEN
Per-check LLM notes
  • Network: Network calls to external URLs are observed, which could be for legitimate updates but warrant further investigation into the package's purpose.
  • Shell: Shell execution patterns include pip and ensurepip commands, which might be intended for package maintenance but could also indicate unexpected behavior requiring closer scrutiny.
  • Obfuscation: No obfuscation patterns detected.
  • Credentials: Potential risk of unauthorized access as the code checks for and uses an environment variable 'GITHUB_TOKEN' which could be misused if not properly secured.
  • Metadata: The package is new and the maintainer has limited history, raising some suspicion but not definitive evidence of malice.

🔬 Heuristic Checks

Outbound Network Calls score 7.5

Found 5 network call pattern(s)

  • "get-pip.py" with urllib.request.urlopen(GET_PIP_URL, timeout=60) as response, script_path.op
  • : str) -> dict: request = urllib.request.Request(url, headers=_headers()) with urllib.request.url
  • headers=_headers()) with urllib.request.urlopen(request, timeout=30) as response: return jso
  • exist_ok=True) request = urllib.request.Request(remote.archive_url, headers=_headers()) with url
  • headers=_headers()) with urllib.request.urlopen(request, timeout=120) as response, archive_path.open
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • ensurepip") try: subprocess.run( [sys.executable, "-m", "ensurepip", "--upgrade"
  • (response.read()) subprocess.run([sys.executable, str(script_path)], check=True) subproc
  • ript_path)], check=True) subprocess.run([sys.executable, "-m", "pip", "install", "--upgrade", "pip"]
  • try: completed = subprocess.run( [sys.executable, "-m", "pip", "--version"],
  • try: completed = subprocess.run( command + ["-c", "import sys; print('.'.join(ma
  • un] {' '.join(command)}") subprocess.run(command, check=True, cwd=cwd, env=dict(env) if env else None
Credential Harvesting score 2.5

Found 1 credential access pattern(s)

  • ler/0.9.0", } token = os.environ.get("GITHUB_TOKEN") if token: headers["Authorization"] = f"Bearer
Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 4.0

2 maintainer concern(s) found

  • Only one version has ever been released — brand new package
  • Author "Tommy-OMI" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with HomeCopy 
Create a fully-functional mini-application called 'QuickSetup' using the Python package 'HomeCopy'. This application should streamline the process of setting up a development environment for new projects by automating the installation of dependencies and configuration files. Here's a detailed outline of what QuickSetup should accomplish:

1. **Project Initialization**: Allow users to initialize a new project directory with a simple command. This command should create a basic structure including necessary folders like 'src', 'tests', 'docs', and 'config'.
2. **Dependency Management**: Integrate 'HomeCopy' to install all required dependencies listed in a specified requirements.txt file. The dependencies should be installed into a virtual environment created specifically for the project.
3. **Configuration Setup**: Automatically generate and place essential configuration files (like .gitignore, .env, etc.) within the project directory based on predefined templates.
4. **Customization Options**: Provide options for users to customize their setup further, such as selecting specific dependency versions or adding additional configuration settings.
5. **Post-Installation Actions**: After setup, run any post-installation scripts or commands to finalize the environment setup, ensuring everything is ready for immediate use.
6. **User Interface**: Develop a user-friendly CLI interface that guides users through each step of the setup process, providing clear instructions and feedback at every stage.

The core feature of 'HomeCopy' will be used extensively throughout this application to automate the installation of dependencies and manage the project setup process efficiently. Ensure that QuickSetup is designed to be flexible and scalable, allowing for easy updates and modifications as development needs evolve.