AI Analysis
Final verdict: SUSPICIOUS
The package exhibits several indicators that raise suspicion, including potential obfuscation techniques and low metadata integrity, though there is no definitive proof of malicious intent.
- Potential obfuscation techniques
- Low activity in the git repository
- Anonymous author
Per-check LLM notes
- Network: The presence of network calls with POST requests might indicate legitimate API interactions, but without context, it could also suggest potential data exfiltration.
- Shell: No shell execution patterns were detected.
- Obfuscation: The observed patterns suggest potential obfuscation but could also be legitimate for handling encoded data in cryptographic operations.
- Credentials: No clear evidence of credential harvesting or secret theft patterns.
- Metadata: The package shows some red flags including an anonymous author and low activity in the git repository, but no concrete evidence of malicious intent.
Heuristic Checks
Outbound Network Calls
score 1.5
Found 1 network call pattern(s)
read_timeout)) return requests.post(url, **kwargs) return _transport def _extract_token_m
Code Obfuscation
score 10.0
Found 6 obfuscation pattern(s)
es = prefix.encode("utf-8") + base64.b64decode( self.note_payload_b64 )on_chain_note_bytes = base64.b64decode(on_chain_note_b64) except Exception as exc: # noqa: BLEtry: token_bytes = base64.b64decode(receipt.trusted_timestamp.token_b64) except Exception as(txn) msgpack_bytes = base64.b64decode(msgpack_b64) return ALGORAND_SIGN_PREFIX + msgpack_bON payload. decoded = base64.b64decode(result.note_payload_b64) parsed = json.loads(decodedx) == expected assert base64.b64decode(note.base64) == expected # The full note carries the
Shell / Subprocess Execution
No shell execution patterns detected
Credential Harvesting
No credential harvesting patterns detected
Typosquatting
No typosquatting candidates detected
Registered Email Domain
Email domain looks legitimate: advisa.tech>
Suspicious Page Links
All external links appear legitimate
Git Repository History
score 2.5
Git history flags: Repository has zero stars and zero forks
Repository has zero stars and zero forks
Maintainer History
score 4.0
2 maintainer concern(s) found
Author name is missing or very shortAuthor "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities
No known vulnerabilities found in OSV database.
AI App Starter Prompt
Use this prompt to build a project with actproof
Create a mini-application named 'TrustAnchor' that leverages the 'actproof' Python package to provide verifiable receipts for digital documents. This application will allow users to timestamp and anchor their documents using trusted timestamping services compliant with RFC 3161 and Algorand's ARC-2 protocol. Users should be able to upload a document, request a verifiable receipt, and verify the authenticity of the receipt independently. Key Features: 1. Document Upload: Allow users to upload any digital document (e.g., PDF, DOCX). 2. Timestamping Service Selection: Provide options to select between different timestamping services. 3. Receipt Generation: Automatically generate a verifiable receipt after the document has been timestamped. 4. Anchoring on Algorand: Optionally anchor the receipt on the Algorand blockchain for added security. 5. Verification Tool: Include a tool within the app to verify the authenticity of the receipt. 6. User Interface: Design a simple and intuitive user interface. How to Use ActProof: - Utilize 'actproof' to create canonical JSON representations of uploaded documents. - Use 'actproof' to obtain trusted timestamps from selected timestamping services. - Leverage 'actproof' to anchor the receipt on the Algorand blockchain if chosen by the user. - Employ 'actproof' to verify the authenticity of the generated receipts.