ag-scan

v0.1.5 suspicious
8.0
High Risk

CI/CD safety and risk analysis for AI-assisted coding workflows.

πŸ€– AI Analysis

Final verdict: SUSPICIOUS

The package exhibits multiple high-risk behaviors including the use of potentially unsafe subprocess calls, obfuscation techniques, and improper handling of credentials. These indicators suggest a non-trivial level of risk and possible malicious intent.

  • High shell risk due to use of 'shell=True'
  • Use of 'eval' with user input
  • Accessing sensitive environment variables without validation
Per-check LLM notes
  • Network: The network calls include custom headers and timeout settings, which might be legitimate but also could indicate external command execution or data exchange.
  • Shell: Use of `shell=True` in subprocess calls is risky as it allows for shell injection attacks, suggesting potential for unauthorized command execution.
  • Obfuscation: The use of 'eval' with user input is highly suspicious and can be used for code injection attacks.
  • Credentials: Accessing environment variables like GITHUB_TOKEN without proper authentication or validation raises concerns about potential misuse.
  • Metadata: Suspiciously active but with no community engagement, suggesting potential malintent.

πŸ”¬ Heuristic Checks

⚠ Outbound Network Calls score 4.5

Found 3 network call pattern(s)

  • not None else None req = urllib.request.Request(url, data=data, method=method) req.add_header("A
  • ent", "agent-guard") with urllib.request.urlopen(req, timeout=20) as resp: body = resp.read()
  • = _ctx(tmp_path, "net.py", ["requests.get(url, verify=False)"]) findings = list(DangerousPatternSc
⚠ Code Obfuscation score 2.0

Found 1 obfuscation pattern(s)

  • (tmp_path, "danger.py", ["x = eval(user_input)"]) findings = list(DangerousPatternScanner()
⚠ Shell / Subprocess Execution score 8.0

Found 4 shell execution pattern(s)

  • try: result = subprocess.run(cmd, check=True, capture_output=True, text=True) exc
  • n.py", ["import subprocess", "subprocess.run('ls', shell=True)"]) findings = list(DangerousPatternSca
  • sage="subprocess called with `shell=True` β€” shell-injection risk", evidence=
  • ocess", "subprocess.run('ls', shell=True)"]) findings = list(DangerousPatternScanner().analyze(c
⚠ Credential Harvesting score 2.5

Found 1 credential access pattern(s)

  • _REPOSITORY") token = os.environ.get("GITHUB_TOKEN") pr_ref = os.environ.get("GITHUB_REF", "")
βœ“ Typosquatting

No typosquatting candidates detected

βœ“ Registered Email Domain

No author email provided

βœ“ Suspicious Page Links

All external links appear legitimate

⚠ Git Repository History score 5.0

Git history flags: Repository has zero stars and zero forks

  • Repository has zero stars and zero forks
  • All 12 commits happened within 24 hours
⚠ Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "agent-guard contributors" appears to have only 1 package on PyPI (new or inactive account)
βœ“ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

πŸ’‘ AI App Starter Prompt

Use this prompt to build a project with ag-scan 
Create a mini-application named 'AI-SafetyGuard' using Python, which leverages the 'ag-scan' package to perform safety and risk analysis on codebases before they are pushed to a repository. This application will serve as a pre-commit hook, ensuring that any potential security vulnerabilities or risks associated with AI-assisted coding are detected early. Here’s a detailed breakdown of the project requirements:

1. **Project Setup**: Initialize a new Python project. Ensure you have 'ag-scan' installed via pip.
2. **Core Functionality**: Develop a function within your application that accepts a directory path as input and scans it using 'ag-scan'. The scan should analyze the codebase for potential risks related to AI-assisted coding practices.
3. **Output Report Generation**: After scanning, generate a detailed report summarizing the findings. Include categories such as 'Critical', 'High', 'Medium', and 'Low' severity levels based on the results from 'ag-scan'.
4. **Integration with Git**: Implement a feature that allows 'AI-SafetyGuard' to integrate seamlessly as a pre-commit hook in Git repositories. This ensures that every commit goes through a safety check.
5. **User Interface**: Design a simple command-line interface (CLI) for users to interact with 'AI-SafetyGuard'. Users should be able to initiate scans, view reports, and configure settings directly from the CLI.
6. **Configuration Settings**: Allow users to customize the sensitivity of the scans through configuration files. Users should be able to set thresholds for different severity levels and specify which types of risks to prioritize.
7. **Documentation**: Provide comprehensive documentation detailing how to install and use 'AI-SafetyGuard', including examples of typical usage scenarios.
8. **Testing**: Write unit tests to ensure the reliability of your application, focusing particularly on the integration with 'ag-scan' and the accuracy of the output reports.

By completing these steps, you'll create a robust tool that enhances the safety and reliability of AI-assisted coding workflows, ensuring that developers are aware of potential risks before committing their changes.