Package Metadata

Author: —
Email: Imran Siddique <[email protected]>
PyPI: agent-manifest
Python: >=3.11
Versions: 1 release
First release: 04 Jun 2026, 17:48 UTC
Analysed: 06 Jun 2026, 07:06 UTC
Source files: 26 .py files scanned

Project Links

Bug Tracker Changelog Documentation Homepage Repository

Classifiers

Development Status :: 3 - AlphaIntended Audience :: DevelopersLicense :: OSI Approved :: Apache Software LicenseProgramming Language :: Python :: 3Programming Language :: Python :: 3.11Programming Language :: Python :: 3.12Programming Language :: Python :: 3.13Topic :: Security :: CryptographyTopic :: Software Development :: Libraries :: Python ModulesTopic :: System :: Monitoring

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits characteristics that may indicate potential risks, primarily due to its novelty, minimal maintainer history, and lack of transparency in source code management.

High metadata risk due to lack of maintainer history and public repository.
Potential obfuscation techniques used.

Per-check LLM notes

Network: The network calls appear to be related to attestation and logging, which could be legitimate for security purposes.
Shell: The shell commands seem to interact with TPM for PCR operations, likely for integrity verification but could indicate risky behavior if misused.
Obfuscation: The observed base64 decoding and JSON loading could indicate an attempt to obfuscate code, but it is also common practice in many applications for data handling.
Credentials: No clear patterns of credential harvesting were detected.
Metadata: The package shows signs of being potentially malicious due to its newness, lack of maintainer history, and the absence of a public git repository.

🔬 Heuristic Checks

⚠ Outbound Network Calls score 4.5

Found 3 network call pattern(s)

ort base64 response = httpx.post( f"{self._url}/v1/attest", json={"ma
}, } response = httpx.post( f"{rekor_url}{REKOR_API_PATH}", json=entry,
try: response = httpx.get( f"{rekor_url}{REKOR_API_PATH}/{entry.entry_id}"

⚠ Code Obfuscation score 10.0

Found 5 obfuscation pattern(s)

body_decoded = json.loads(base64.b64decode(entry_data.get("body", ""))) return TransparencyLogEntr
{}) decoded = json.loads(base64.b64decode(entry_data.get("body", "e30="))) actual_hash = (
te_key.private_bytes( __import__("cryptography.hazmat.primitives.serialization", fromlist=["Encoding"]).Encoding.Raw, __import__("cryptography.hazmat.primi
ding"]).Encoding.Raw, __import__("cryptography.hazmat.primitives.serialization", fromlist=["PrivateFormat"]).PrivateFormat.Raw, __import__("cryptography.hazmat.
]).PrivateFormat.Raw, __import__("cryptography.hazmat.primitives.serialization", fromlist=["NoEncryption"]).NoEncryption(), ).hex() (out / "private.hex").write

⚠ Shell / Subprocess Execution score 4.0

Found 2 shell execution pattern(s)

6:{digest}" result = subprocess.run( ["tpm2_extend", f"-i{self._pcr}", f"-g=sha256",
d PCR values result = subprocess.run( ["tpm2_pcrread", f"sha256:{self._pcr}"],

✓ Credential Harvesting

No credential harvesting patterns detected

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

Email domain looks legitimate: opaque.co>

✓ Suspicious Page Links

All external links appear legitimate

⚠ Git Repository History score 3.0

Repository not found (deleted or private)

Repository not found (deleted or private)

⚠ Maintainer History score 8.0

4 maintainer concern(s) found

Only one version has ever been released — brand new package
Package is very new: uploaded 2 day(s) ago
Author name is missing or very short
Author "" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with agent-manifest

Create a Python-based application named 'AI-Agent-Verifier' that leverages the 'agent-manifest' package to ensure the integrity and trustworthiness of deployed AI agents. The app should be designed to generate, verify, and manage cryptographic manifests for AI agents. Here’s a detailed breakdown of the steps and features:

1. **Setup**: Begin by installing the 'agent-manifest' package and setting up a clean Python environment. Ensure your application can read configuration files for AI agents.
2. **Generate Manifest**: Develop a feature within 'AI-Agent-Verifier' that allows users to input details about an AI agent (such as its model, training data sources, parameters, etc.) and then generate a cryptographic manifest for it using the 'agent-manifest' SDK. This manifest should include all ten artifacts required by the package.
3. **Verification Module**: Implement a verification module that can take a deployed AI agent and its manifest, and check if they match cryptographically. This ensures the agent has not been tampered with since deployment.
4. **Audit Log**: Integrate an audit log functionality that records every time a manifest is generated or verified, along with the outcome of each verification attempt. This helps in maintaining a history of trustworthiness.
5. **User Interface**: Optionally, develop a simple command-line interface (CLI) or a basic web UI that makes it easy for non-technical users to interact with 'AI-Agent-Verifier'.
6. **Documentation**: Provide comprehensive documentation on how to install, use, and extend 'AI-Agent-Verifier', including examples of typical use cases and best practices for ensuring the security of AI deployments.
7. **Testing**: Write tests to ensure that your application correctly generates and verifies manifests according to the specifications provided by the 'agent-manifest' package.

The 'agent-manifest' package will be central to the application, used for generating and verifying the cryptographic anchors of AI agent artifacts. Your goal is to create a tool that not only demonstrates the power of the 'agent-manifest' package but also provides real-world value in securing AI deployments.