agent-feed

v1.1.6 suspicious
7.0
High Risk

CLI for installing AGENTS.md, .agents rules, AI coding workflows, and client adapters into software projects.

πŸ€– AI Analysis

Final verdict: SUSPICIOUS

The package exhibits multiple risky behaviors including high shell execution risk, obfuscation, and credential handling issues, suggesting potential security vulnerabilities or malicious intent.

  • High shell risk due to execution of git and gh commands
  • Obfuscation through base64 decoding without clear purpose
  • Potential credential harvesting from environment variables
Per-check LLM notes
  • Network: The network calls are likely for fetching remote resources or updates, which is common but should be reviewed for legitimacy.
  • Shell: Executing shell commands like git and gh can pose risks if not properly controlled, especially 'gh auth token' which could expose authentication tokens.
  • Obfuscation: Base64 decoding of strings without clear purpose suggests potential obfuscation for hiding code logic or malicious content.
  • Credentials: Accessing GITHUB_TOKEN from environment variables without proper context indicates high risk of credential harvesting or misuse.
  • Metadata: The author has only one package, which might indicate a new or less active account, but no other red flags are present.

πŸ”¬ Heuristic Checks

⚠ Outbound Network Calls score 4.5

Found 3 network call pattern(s)

  • | None: try: with httpx.Client(timeout=timeout, follow_redirects=True) as client:
  • rors: list[str] = [] with httpx.Client(timeout=DEFAULT_TIMEOUT, follow_redirects=True) as client:
  • RemoteSkillPackage: with httpx.Client(timeout=DEFAULT_TIMEOUT, follow_redirects=True) as client:
⚠ Code Obfuscation score 2.0

Found 1 obfuscation pattern(s)

  • hub.repo}/{path}") return base64.b64decode("".join(encoded.split())) def parse_frontmatter(content: s
⚠ Shell / Subprocess Execution score 4.0

Found 2 shell execution pattern(s)

  • tr: try: result = subprocess.run( ["git", "-C", str(root), *args], ch
  • ne: try: result = subprocess.run( ["gh", "auth", "token"], check=Fals
⚠ Credential Harvesting score 5.0

Found 2 credential access pattern(s)

  • > str | None: env_token = os.environ.get("GITHUB_TOKEN", "").strip() if env_token: return env_token
  • resolved_token = (token or os.environ.get("GITHUB_TOKEN", "")).strip() if resolved_token: headers["Auth
βœ“ Typosquatting

No typosquatting candidates detected

βœ“ Registered Email Domain

No author email provided

βœ“ Suspicious Page Links

All external links appear legitimate

βœ“ Git Repository History

Repository fqmyysjjd/agent-feed appears legitimate

⚠ Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "Agent Feed Contributors" appears to have only 1 package on PyPI (new or inactive account)
βœ“ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

πŸ’‘ AI App Starter Prompt

Use this prompt to build a project with agent-feed 
Create a Python-based mini-application named 'AgentWorkbench' that leverages the 'agent-feed' package to streamline the integration of AI-driven coding workflows into software projects. This application should serve as a user-friendly interface for managing and deploying AI agents specified in AGENTS.md files. Here’s a step-by-step guide on what your application should accomplish:

1. **Setup**: Ensure your application initializes properly by checking if 'agent-feed' is installed. If not, provide instructions for installation.
2. **Project Integration**: Develop a feature that allows users to specify a target software project directory. Your application should then use 'agent-feed' to install any AI agents defined within an AGENTS.md file located in the root of the project directory.
3. **Agent Management**: Implement functionalities to list, enable, disable, and remove AI agents from a project. This includes parsing the .agents rules and applying them based on user input.
4. **Workflow Automation**: Design a module that automates common coding tasks using the installed AI agents. For example, code generation, refactoring, testing, etc., should be automated based on the workflow specifications provided in the AGENTS.md file.
5. **Client Adapters**: Integrate support for various client adapters that facilitate communication between different development tools and the AI agents. Users should be able to select which adapter(s) to use when setting up their project.
6. **Customization**: Allow users to customize the behavior of AI agents through configuration files or command-line options.
7. **Reporting & Logging**: Include a feature that logs actions performed by the AI agents and provides reports on their effectiveness in improving coding workflows.
8. **Security Measures**: Ensure that all operations performed by the AI agents adhere to security best practices, such as running in a sandboxed environment and requiring explicit user consent for sensitive actions.

Your application should utilize the 'agent-feed' package extensively to handle the installation, management, and execution of AI agents. Make sure to document your code thoroughly and include a README file that explains how to set up and use AgentWorkbench.