Package Metadata

Author: Al Duncanson
Email: Al Duncanson <[email protected]>
PyPI: a2a-handler
Python: >=3.11
Versions: 21 releases
First release: 04 Dec 2025, 07:11 UTC
Analysed: 05 Jun 2026, 22:53 UTC
Source files: 56 .py files scanned

Project Links

Changelog Documentation Homepage Issues Repository

Classifiers

Development Status :: 4 - BetaEnvironment :: ConsoleIntended Audience :: DevelopersLicense :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)Operating System :: OS IndependentProgramming Language :: Python :: 3Programming Language :: Python :: 3.11Programming Language :: Python :: 3.12Programming Language :: Python :: 3.13Topic :: Software Development :: Libraries :: Python Modules

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits moderate risks due to network and shell execution activities, suggesting potential for external command execution and data communication. While there's no clear evidence of malicious intent, these behaviors warrant further investigation.

High shell execution risk
Moderate network risk

Per-check LLM notes

Network: Network calls suggest the package communicates with external services, which could be legitimate but also indicates potential data exfiltration risks.
Shell: Shell execution patterns indicate the package may execute external commands, including 'ollama', which might be intended for functionality but also poses risks such as executing arbitrary code.
Obfuscation: The use of __import__ and contextlib.suppress suggests an attempt to hide or complicate the code's readability, which is common in obfuscation but could also be used for legitimate purposes like error handling.
Credentials: No clear signs of credential harvesting detected.
Metadata: The maintainer has only one package, which could indicate a new or less active account, raising some suspicion but not conclusive evidence of malice.

🔬 Heuristic Checks

⚠ Outbound Network Calls score 9.0

Found 6 network call pattern(s)

ocs_url(source) request = urllib.request.Request(url, headers={"User-Agent": "a2a-handler/agent"})
a2a-handler/agent"}) with urllib.request.urlopen( request, timeout=A2A_DOCS_FETCH_TIM
f.scopes) async with httpx.AsyncClient(trust_env=False) as token_client: response = awa
AuthType.MTLS: return httpx.AsyncClient( timeout=effective_timeout, verify=c
v=False, ) return httpx.AsyncClient(timeout=effective_timeout, trust_env=False) def build_stre
AuthType.MTLS: return httpx.AsyncClient( timeout=timeout, verify=credentials

⚠ Code Obfuscation score 2.0

Found 1 obfuscation pattern(s)

t BaseException: with __import__("contextlib").suppress(OSError): os.unlink(tmp_path)

⚠ Shell / Subprocess Execution score 8.0

Found 4 shell execution pattern(s)

e SystemExit(1) result = subprocess.run(command, check=False) if result.returncode != 0:
""" try: result = subprocess.run( ["ollama", "list"], capture_output=
n") try: result = subprocess.run( ["ollama", "pull", model], timeout=
_handler_agent_process = subprocess.Popen( [ sys.executable,

✓ Credential Harvesting

No credential harvesting patterns detected

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

Email domain looks legitimate: proton.me>

✓ Suspicious Page Links

All external links appear legitimate

✓ Git Repository History

Repository alDuncanson/handler appears legitimate

⚠ Maintainer History score 2.0

1 maintainer concern(s) found

Author "Al Duncanson" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with a2a-handler

Build a simple Python application using the a2a-handler package to demonstrate its core features.