Package Metadata

Author: ShuKurenais, BartolomeoRusso9
Email: —
PyPI: SpotiFLAC
Python: >=3.9
Versions: 73 releases
First release: 11 Jan 2026, 06:52 UTC
Analysed: 05 Jun 2026, 21:10 UTC
Source files: 58 .py files scanned

Project Links

Classifiers

Development Status :: 4 - BetaIntended Audience :: DevelopersIntended Audience :: End Users/DesktopOperating System :: OS IndependentProgramming Language :: Python :: 3.10Programming Language :: Python :: 3.11Programming Language :: Python :: 3.12Programming Language :: Python :: 3.13Programming Language :: Python :: 3.14Topic :: Multimedia :: Sound/Audio

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits moderate risks due to potential obfuscation and shell execution practices, but lacks clear indicators of malicious intent such as credential harvesting.

High obfuscation risk
Potential risks from shell execution

Per-check LLM notes

Network: The network calls seem to be standard HTTP requests which could be part of legitimate API interactions with Spotify's services.
Shell: The shell execution patterns indicate the package may be using external tools like rg, ffprobe, and osascript, which could be risky if not properly sanitized or if used to execute arbitrary commands.
Obfuscation: The code uses base64 decoding which may indicate an attempt to hide the source of certain strings or URLs, raising suspicion.
Credentials: No clear patterns indicative of credential harvesting were found.
Metadata: The maintainer has only one package, which may indicate a new or less active account, raising some suspicion but not conclusive evidence of malice.

🔬 Heuristic Checks

⚠ Outbound Network Calls score 9.0

Found 6 network call pattern(s)

cls._sync_client = httpx.Client(limits=limits, timeout=30.0) return cls._sync_client
cls._async_client = httpx.AsyncClient(limits=limits, timeout=30.0) return cls._async_clien
s None: session = httpx.Client(timeout=15.0) _spotify_session_cache["session"]
s=30) self._session = httpx.Client(limits=limits, timeout=15.0) self._session.headers.u
cretDict.json" resp = httpx.get(url, timeout=5.0) if resp.status_code == 200:
out_s self._session = httpx.Client( timeout=timeout_s, headers={

⚠ Code Obfuscation score 6.0

Found 3 obfuscation pattern(s)

ry: decoded = base64.b64decode(match.group(1)).decode('utf-8') cfg = json.l
match.group(1) base = base64.b64decode("aHR0cHM6Ly9tdXNpYy5hbWF6b24uY29tL3RyYWNrcy8=").decode()
esult: try: raw = base64.b64decode(manifest_b64) except Exception as exc: raise Par

⚠ Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

g() -> bool: try: subprocess.run(["rg", "--version"], stdout=subprocess.DEVNULL, stderr=subpr
] try: proc = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, text
at: try: result = subprocess.run( ["ffprobe", "-v", "quiet", "-print_format", "js
title "{title}"' subprocess.run(["osascript", "-e", script], timeout=3, check=False)
}") else: subprocess.run(["notify-send", title, body], timeout=3, check=False) ex
form == "darwin": subprocess.Popen(["open", path]) elif sys.platform == "win32":

✓ Credential Harvesting

No credential harvesting patterns detected

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

No author email provided

✓ Suspicious Page Links

All external links appear legitimate

✓ Git Repository History

Repository ShuShuzinhuu/SpotiFLAC-Module-Version appears legitimate

⚠ Maintainer History score 2.0

1 maintainer concern(s) found

Author "ShuKurenais, BartolomeoRusso9" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with SpotiFLAC

Create a Python-based command-line application called 'Flacify' that leverages the 'SpotiFLAC' package to convert Spotify track links into high-quality FLAC audio files. The application should allow users to input one or multiple Spotify track URLs and download the corresponding FLAC files directly from supported music streaming services like Tidal, Qobuz, and Amazon Music without requiring any accounts on these platforms. 

The app should include the following features:
1. User-friendly interface for entering Spotify track links.
2. Ability to handle single track downloads as well as batch processing of multiple tracks.
3. Option to specify the output directory for downloaded FLAC files.
4. Progress bar and status updates during the download process.
5. Error handling and retry mechanisms for failed downloads.
6. Optional feature to automatically organize downloaded files into artist/album folders.
7. Support for command-line arguments to configure options like output directory and file organization.

In utilizing the 'SpotiFLAC' package, your task will involve calling its functions to fetch and download the FLAC versions of the specified tracks. Ensure you document each step of the implementation process, including how 'SpotiFLAC' is integrated into your application flow, and provide clear instructions on setting up and running the application.