AI Analysis
Final verdict: SUSPICIOUS
The package exhibits multiple indicators of potential risk, including shell execution, obfuscation techniques, and possible typosquatting. While these do not definitively point to malicious intent, they raise significant concerns about its safety.
- High shell risk due to execution of external tools
- Potential code injection through use of eval()
- Possible typosquatting targeting 'arq'
Per-check LLM notes
- Network: The network calls seem to be part of normal HTTP requests possibly for fetching resources or updates, but the context is unclear.
- Shell: Executing external tools like gosec, staticcheck, semgrep, and eslint suggests the package may be performing code analysis, which is legitimate but could also indicate attempts to hide malicious activities.
- Obfuscation: The presence of eval() and attempts to replace it suggest potential for code injection attacks, indicating a higher risk.
- Credentials: Usage of environment variables like GITHUB_TOKEN indicates possible credential handling, but without context on how it's used, the risk is moderate.
- Metadata: The author's name is missing and the account seems new or inactive, which raises some concerns but does not strongly indicate malicious intent.
- ⚠ Typosquatting target: arq
Heuristic Checks
Outbound Network Calls
score 9.0
Found 6 network call pattern(s)
) -> list: async with httpx.AsyncClient(timeout=30.0) as client: tasks = [try: with httpx.Client(timeout=1) as client: client.get(f"http:st:{port}{path}" with httpx.Client(timeout=5) as client: r = client.get(url, paramstry: with httpx.Client(timeout=3.0) as client: r = client.get(f"{seFalse, } with httpx.Client(timeout=60.0) as client: resp = client.post(selfNone] = [] async with httpx.AsyncClient(timeout=20.0) as client: for item in findings_wi
Code Obfuscation
score 10.0
Found 6 obfuscation pattern(s)
pression": "SECURITY-001", # eval() with variable "security/detect-non-literal-regexp": "S"no-eval": "SECURITY-001", # eval() — same as SECURITY-001 "no-implied-eval": "SECURITY-00ct | None: """Replace eval() with ast.literal_eval() for safer evaluation""" fie_num - 1] # Replace eval( with ast.literal_eval( if "eval(" in original_lineast.literal_eval( if "eval(" in original_line and "literal_eval" not in original_line:line = original_line.replace("eval(", "ast.literal_eval(") return {
Shell / Subprocess Execution
score 10.0
Found 6 shell execution pattern(s)
try: proc = subprocess.run( [self.GOSEC_PATH, "-fmt", "json", "./..try: proc = subprocess.run( [self.STATICCHECK_PATH, "./..."],e: proc = subprocess.run( [ "semg_content) proc = subprocess.run( ["eslint", "--format", "json", *rel_files],t context. proc = subprocess.run(cmd, capture_output=True, text=True, timeout=180, cwd=str(setry: proc = subprocess.run( cmd, capture_output=True,
Credential Harvesting
score 2.5
Found 1 credential access pattern(s)
dev/v1/query" _GITHUB_TOKEN = os.getenv("GITHUB_TOKEN", "") # Risk thresholds RISK_HIGH = 70 RISK_MEDIUM = 40
Typosquatting
score 3.0
Possible typosquat of: arq
"acrqa" is 2 edit(s) from "arq"
Registered Email Domain
Email domain looks legitimate: gmail.com>
Suspicious Page Links
All external links appear legitimate
Git Repository History
Repository ahmed-145/acr-qa appears legitimate
Maintainer History
score 4.0
2 maintainer concern(s) found
Author name is missing or very shortAuthor "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities
No known vulnerabilities found in OSV database.
AI App Starter Prompt
Use this prompt to build a project with acrqa
Build a simple Python application using the acrqa package to demonstrate its core features.