AI Analysis
Final verdict: SUSPICIOUS
The package shows potential risks related to credential handling and is maintained by a less active or new maintainer, raising some suspicion about its legitimacy.
- Credential risk due to retrieval of GITHUB_TOKEN
- Maintainer has only one package, indicating possible new or less active account
Per-check LLM notes
- Network: The observed network call patterns indicate legitimate HTTP requests but could potentially be used for unexpected data transfer if misused.
- Shell: No shell execution patterns were detected.
- Obfuscation: No obfuscation patterns detected in the provided code snippet.
- Credentials: The code attempts to retrieve a GITHUB_TOKEN from environment variables, which could indicate legitimate use but also poses a risk if not handled securely.
- Metadata: The maintainer has only one package, indicating a new or less active account which could be suspicious, but no other red flags were raised.
Heuristic Checks
Outbound Network Calls
score 6.0
Found 4 network call pattern(s)
: try: response = httpx.get(url, timeout=30, follow_redirects=True) response.raiis None http = client or httpx.Client(timeout=60.0, follow_redirects=True) try: archiv" try: response = httpx.get(url, params={"q": query, "limit": limit}, timeout=10.0)nsport(handler) client = httpx.Client(transport=transport) try: r = resolve_skill_dire
Code Obfuscation
No obfuscation patterns detected
Shell / Subprocess Execution
No shell execution patterns detected
Credential Harvesting
score 2.5
Found 1 credential access pattern(s)
ken() -> str | None: t = (os.environ.get("GITHUB_TOKEN") or "").strip() if t: return t return (loa
Typosquatting
No typosquatting candidates detected
Registered Email Domain
No author email provided
Suspicious Page Links
All external links appear legitimate
Git Repository History
No GitHub repository linked
No GitHub repository link found
Maintainer History
score 2.0
1 maintainer concern(s) found
Author "Howard Lo (508.dev)" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities
No known vulnerabilities found in OSV database.
AI App Starter Prompt
Use this prompt to build a project with agent-skillet
Create a mini-application named 'SkillSyncer' that leverages the 'agent-skillet' package to streamline the management of skills for AI agents such as Claude, Cursor, and Copilot. This application should allow users to easily install, update, and synchronize skills across different agents within their repositories. Step 1: Set up the environment - Ensure Python is installed on your machine. - Install the 'agent-skillet' package using pip. Step 2: Define the core functionalities - Implement a function to list all available skills that can be installed for the supported agents. - Develop a feature to install a specific skill for a chosen agent from a repository. - Create an option to update existing skills to their latest versions. - Add functionality to synchronize skills between multiple agents, ensuring they have the same set of skills. Step 3: Enhance user experience - Provide a command-line interface (CLI) for interacting with the application. - Include error handling and informative messages to guide users through the process. - Offer a way to save configurations so users don't need to reconfigure every time they use the application. Step 4: Testing and Documentation - Write tests to ensure each feature works as expected. - Document the installation process, usage instructions, and examples for the CLI. Utilize the 'agent-skillet' package's core features by integrating its functions for managing skills. For example, use the package's API to fetch available skills, handle installations, updates, and synchronization tasks. The goal is to create a seamless tool that simplifies the management of AI agent skills for developers and enthusiasts.