agent-tool-store

v2.1.8 suspicious
6.0
Medium Risk

ToolStore v2 — MCP Client + Skills Manager + MCP Server. The universal tool platform for AI agents.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits moderate risks due to its network and shell command usage, along with obfuscation techniques. While there's no clear evidence of malicious intent, these behaviors warrant further investigation.

  • High shell risk
  • Moderate network risk
  • Significant obfuscation
Per-check LLM notes
  • Network: The package makes network calls to various URLs including HTTP GET, POST, and DELETE methods which could be used for legitimate purposes but also raise suspicion due to potential unauthorized access or data exfiltration.
  • Shell: Executing shell commands such as 'docker info' and running Docker containers can be part of the intended functionality if the package is related to container management. However, this also poses a significant risk if not properly controlled, leading to potential system compromise.
  • Obfuscation: The presence of Base64 decoding suggests an attempt to obfuscate the code, which is suspicious but could be legitimate for various reasons.
  • Credentials: No clear evidence of credential harvesting detected.
  • Metadata: The package has a single author with one package and a missing repository, raising suspicion but not conclusive evidence of malice.

🔬 Heuristic Checks

Outbound Network Calls score 7.5

Found 5 network call pattern(s)

  • try: response = httpx.get(registry_url) response.raise_for_status() re
  • try: response = httpx.post(token_url, data={ "username": username,
  • {token}"} response = httpx.post(publish_url, json=tool_def, headers=headers)
  • {token}"} response = httpx.delete(delete_url, headers=headers) if response.st
  • } response = httpx.post( skills_publish_url, json=upload_data, headers=h
Code Obfuscation score 10.0

Found 6 obfuscation pattern(s)

  • and not code: code = base64.b64decode(code_b64).decode("utf-8") if not code: return "
  • and not code: code = base64.b64decode(code_b64).decode("utf-8") # Local toolsets: read code f
  • try: return base64.b64decode(code_b64).decode("utf-8") except Exception:
  • try: code = base64.b64decode(self.code_base64).decode("utf-8") except Excepti
  • and not code: code = base64.b64decode(code_b64).decode("utf-8") if not code and tool.get("tool
  • try: zip_data = base64.b64decode(archive_b64) except Exception: logger.debug("Sup
Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • t on PATH." try: subprocess.run( ["docker", "info"], capture_output=
  • orker.""" self.proc = subprocess.Popen( [ "docker", "run", "-i", "--rm"
  • try: proc = subprocess.run( cmd, capture_output=True,
  • try: result = subprocess.run( [str(target)], capture_output=True, text=Tr
  • in32" self._process = subprocess.Popen( self._cmd, stdin=subprocess.PIPE,
  • point self._process = subprocess.Popen( cmd, stdin=subprocess.PIPE,
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History score 3.0

Repository not found (deleted or private)

  • Repository not found (deleted or private)
Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "ToolStore Team" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with agent-tool-store 
Create a personal task management AI assistant named 'TaskMaster' using the 'agent-tool-store' Python package. TaskMaster should be designed to help users manage their daily tasks efficiently through natural language interaction. The application will leverage the capabilities of 'agent-tool-store' to integrate various tools and skills necessary for task management.

### Project Goals:
1. **User Interaction**: Allow users to input tasks via text or voice commands.
2. **Task Management**: Enable adding, editing, deleting, and prioritizing tasks.
3. **Reminders**: Set reminders for upcoming tasks based on user preferences.
4. **Integration**: Integrate with calendar applications (like Google Calendar) to sync tasks.
5. **Reporting**: Provide daily and weekly reports on completed and pending tasks.

### Steps to Build TaskMaster:
1. **Setup Environment**: Install Python and the 'agent-tool-store' package.
2. **Initialize Agent**: Use 'agent-tool-store' to initialize the AI agent framework.
3. **Natural Language Processing**: Implement NLP functionality to understand user inputs and commands.
4. **Task Database**: Create a database to store tasks, including fields like title, description, due date, priority level, etc.
5. **Calendar Integration**: Use 'agent-tool-store' to add a skill for integrating with calendar services.
6. **Reminder System**: Develop a reminder system that sends notifications based on task due dates.
7. **Reporting Module**: Implement reporting functionalities to provide summaries of tasks.
8. **Testing and Deployment**: Test the application thoroughly and deploy it as a web app or desktop application.

### Utilization of 'agent-tool-store':
- **MCP Client**: For managing the communication between different components of the application.
- **Skills Manager**: To handle the integration of NLP processing and calendar services as separate skills.
- **MCP Server**: To serve as the central hub for managing all operations related to the AI agent.

By following these steps and utilizing the 'agent-tool-store' package effectively, you'll create a powerful and user-friendly task management AI assistant.