agent-publish

v0.1.0 suspicious
4.0
Medium Risk

One-shot multi-registry release publisher for OSS packages (Python port of @p-vbordei/agent-publish)

πŸ€– AI Analysis

Final verdict: SUSPICIOUS

The package has a moderate risk score due to potential shell execution for non-standard purposes and concerns over the maintainer's history and recent activity.

  • Shell risk at 3/10
  • Metadata risk at 7/10
Per-check LLM notes
  • Network: No network calls detected, indicating low risk.
  • Shell: Shell execution patterns observed may be related to git operations or invoking the package's CLI, suggesting potential benign usage but requiring further review.
  • Obfuscation: No obfuscation patterns detected, indicating low risk of malicious intent.
  • Credentials: No credential harvesting patterns detected, suggesting safe handling of secrets and credentials.
  • Metadata: The repository's recent activity and lack of maintainer history suggest potential risks.

πŸ”¬ Heuristic Checks

βœ“ Outbound Network Calls

No suspicious network call patterns found

βœ“ Code Obfuscation

No obfuscation patterns detected

⚠ Shell / Subprocess Execution score 10.0

Found 5 shell execution pattern(s)

  • } if env else None proc = subprocess.run( [cmd, *args], env=env_clean, captur
  • > tuple[str, int]: proc = subprocess.run( ["git", *args], cwd=cwd, capture_ou
  • env.update(extra_env) r = subprocess.run( [sys.executable, "-m", "agent_publish.cli", *args],
  • r], cwd: str) -> str: r = subprocess.run(["git", *args], cwd=cwd, capture_output=True, text=True, che
  • ef _run(cwd: str): return subprocess.run( [sys.executable, "-m", "agent_publish.cli", "manife
βœ“ Credential Harvesting

No credential harvesting patterns detected

βœ“ Typosquatting

No typosquatting candidates detected

βœ“ Registered Email Domain

Email domain looks legitimate: gmail.com>

βœ“ Suspicious Page Links

All external links appear legitimate

⚠ Git Repository History score 5.0

Git history flags: Repository has zero stars and zero forks

  • Repository has zero stars and zero forks
  • All 3 commits happened within 24 hours
⚠ Maintainer History score 6.0

3 maintainer concern(s) found

  • Only one version has ever been released β€” brand new package
  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
βœ“ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

πŸ’‘ AI App Starter Prompt

Use this prompt to build a project with agent-publish 
Create a mini-application named 'MultiRegistryPublisher' using Python that leverages the 'agent-publish' package to automate the process of publishing open-source software packages across multiple registries in one go. This application should streamline the tedious task of manually uploading packages to various repositories such as PyPI, GitHub Packages, and others. Here’s a detailed breakdown of the project requirements:

1. **Setup Environment**: Begin by setting up your development environment. Ensure you have Python installed, along with pip for managing dependencies.
2. **Project Structure**: Define a clean and organized project structure with directories for source code, tests, configuration files, and documentation.
3. **Dependency Management**: Use 'agent-publish' as the core dependency for handling the publication process. Additionally, include other necessary libraries like setuptools for package management and requests for HTTP operations if needed.
4. **Configuration Handling**: Implement a feature where users can specify which registries they want to publish their package to through a configuration file. Allow customization of registry URLs, API keys, and other credentials securely.
5. **User Interface**: Develop a simple command-line interface (CLI) that guides users through the publication process. Users should be able to initiate the publication, view status updates, and receive feedback on the success or failure of each registry upload.
6. **Error Handling & Logging**: Ensure robust error handling and logging mechanisms are in place. Log errors and warnings to a dedicated log file, and provide meaningful error messages to users for better troubleshooting.
7. **Security Considerations**: Since the application will handle sensitive information such as API keys, ensure that all secrets are stored securely. Avoid hardcoding credentials and instead use environment variables or secure vaults.
8. **Testing**: Write comprehensive unit tests and integration tests to cover different scenarios including successful uploads, failed uploads due to incorrect credentials, and network issues.
9. **Documentation**: Provide clear documentation on how to install, configure, and use 'MultiRegistryPublisher'. Include examples and best practices.
10. **Deployment**: Prepare the application for deployment. Consider packaging it as a standalone executable or a Docker container for easy distribution.

By completing this project, you will not only gain hands-on experience with 'agent-publish', but also improve your skills in Python package management, CLI development, and security practices.