actualpy

v0.22.2 suspicious
7.0
High Risk

Implementation of the Actual API to interact with Actual over Python.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits a high level of risk due to its use of shell execution via PowerShell, which can be exploited for malicious activities. While there are no clear signs of credential harvesting, the combination of network calls, obfuscated code, and questionable metadata raises significant concerns.

  • High shell execution risk
  • Moderate network and obfuscation risks
  • Suspicious metadata
Per-check LLM notes
  • Network: The network call pattern suggests the package is making HTTP requests to an API with a token, which could be legitimate but also indicates potential unauthorized data transmission.
  • Shell: The shell execution pattern is highly suspicious as it uses PowerShell to start a process, which could potentially be used to execute arbitrary commands on the system, indicating a high risk of malicious activity.
  • Obfuscation: The code uses base64 and AES encryption which can be used for both legitimate purposes and obfuscation, indicating a moderate risk.
  • Credentials: No clear patterns of credential harvesting were detected, suggesting low risk.
  • Metadata: The maintainer's author name is missing and they appear to be new or inactive, raising some suspicion but not conclusive evidence of malice.

🔬 Heuristic Checks

Outbound Network Calls score 3.0

Found 2 network call pattern(s)

  • uests_session: httpx.Client = httpx.Client( base_url=self.api_url, headers=extra_headers, v
  • time.sleep(1) httpx.get(url, params={"token": "mytoken"}) def _login_fn(_url: s
Code Obfuscation score 10.0

Found 6 obfuscation pattern(s)

  • binary_data = io.BytesIO(base64.b64decode(encrypted["value"])) encryption_meta = encrypted["me
  • rovided metadata.""" iv = base64.b64decode(encrypt_meta.iv) auth_tag = base64.b64decode(encrypt_met
  • crypt_meta.iv) auth_tag = base64.b64decode(encrypt_meta.auth_tag) return decrypt(master_key, iv, ci
  • "iv": base64.b64decode(encrypted_content["meta"]["iv"]), "a
  • "authTag": base64.b64decode(encrypted_content["meta"]["authTag"]),
  • "data": base64.b64decode(encrypted_content["value"]), }
Shell / Subprocess Execution score 2.0

Found 1 shell execution pattern(s)

  • uoted exit_code = subprocess.call(["powershell.exe", "-NoProfile", "-Command", f'Start-Process
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: gmail.com>

Suspicious Page Links

All external links appear legitimate

Git Repository History

Repository bvanelli/actualpy appears legitimate

Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with actualpy 
Create a mini-application called 'ActualSync' using the Python package 'actualpy', which allows users to synchronize their tasks and notes between Actual and their local system. This application will serve as a bridge between the Actual platform and your personal task management needs.

Step 1: Setup
- Install the 'actualpy' package via pip.
- Authenticate the user with their Actual credentials to gain access to their tasks and notes.

Step 2: Core Functionality
- Develop a command-line interface (CLI) that allows users to view, add, edit, and delete tasks and notes directly through the terminal.
- Implement synchronization functionality where changes made locally are reflected on the Actual platform and vice versa.
- Ensure real-time updates if possible, or at least provide an option to manually trigger synchronization.

Step 3: Advanced Features
- Integrate support for tags and categories so users can organize their tasks and notes more effectively.
- Add a feature to set reminders and notifications for upcoming tasks.
- Provide a way to export tasks and notes into different formats like CSV or JSON for backup purposes.

How to Utilize 'actualpy'
- Use 'actualpy' to authenticate and manage sessions securely.
- Leverage its APIs to fetch, update, create, and delete tasks and notes efficiently.
- Explore additional functionalities provided by 'actualpy' such as searching, filtering, and sorting options to enhance the user experience.

Your goal is to build a robust, user-friendly tool that maximizes the potential of the 'actualpy' package while providing seamless integration with the Actual platform.