agent-toolprint

v0.1.0 suspicious
5.0
Medium Risk

Double-signed receipts for AI-agent tool invocations — DSSE + JCS + Ed25519, verifiable offline (Python port of @p-vbordei/agent-toolprint)

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package shows signs of obfuscation without clear justification, indicating potential hidden functionality. While there are no immediate red flags like network calls or shell executions, the metadata and obfuscation risks raise concerns about its true intentions.

  • High obfuscation risk
  • Low maintainer activity
Per-check LLM notes
  • Network: No network calls detected, which is normal if the package does not require internet access.
  • Shell: No shell execution detected, which is expected unless the package needs to run system commands.
  • Obfuscation: The repeated use of base64 decoding without clear purpose suggests potential obfuscation or hiding of code/data, raising suspicion.
  • Credentials: No direct patterns for harvesting credentials are detected, but the obfuscation could potentially hide such activities.
  • Metadata: The repository's low activity and the maintainer's lack of history suggest potential risk.

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation score 10.0

Found 5 obfuscation pattern(s)

  • its raw bytes.""" return base64.b64decode(env["payload"], validate=True) def envelope_pae_bytes(env:
  • ) payload_bytes = base64.b64decode(envelope["payload"], validate=True) receipt = validate_r
  • t']['did']}") agent_sig = base64.b64decode(env["signatures"][0]["sig"], validate=True) try:
  • ol']['did']}") tool_sig = base64.b64decode(env["signatures"][1]["sig"], validate=True) try:
  • -payload": original = base64.b64decode(env["payload"]) obj = json.loads(original.decode("ut
Shell / Subprocess Execution

No shell execution patterns detected

Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: gmail.com>

Suspicious Page Links

All external links appear legitimate

Git Repository History score 5.0

Git history flags: Repository has zero stars and zero forks

  • Repository has zero stars and zero forks
  • Very few commits: 2 total
Maintainer History score 6.0

3 maintainer concern(s) found

  • Only one version has ever been released — brand new package
  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with agent-toolprint 
Develop a secure logging system for AI agents using the 'agent-toolprint' Python package. This system will allow users to log actions performed by AI agents in a way that is both secure and verifiable. Here's a step-by-step guide on how to build this system:

1. **Setup**: Begin by setting up a Python environment. Ensure you have Python installed along with pip. Install the 'agent-toolprint' package via pip.

2. **Design**: Design your logging system architecture. Consider how logs will be stored, retrieved, and verified. Think about the user interface if the system is intended for human interaction.

3. **Implementation**:
   - Implement the logging function which will use 'agent-toolprint' to create double-signed receipts for each action performed by an AI agent. These receipts should include details such as the time of the action, the type of action, and any relevant parameters.
   - Utilize DSSE (Double-Signed Encrypted Envelopes), JCS (JSON Canonicalization Scheme), and Ed25519 signatures provided by 'agent-toolprint' to ensure that these logs are tamper-proof and verifiable.
   - Create a verification function that allows anyone to verify the authenticity and integrity of the logged actions without needing to trust the logging system itself.

4. **Testing**: Test the logging system thoroughly. Verify that logs can be created, stored, and verified correctly. Ensure that the system is robust against attempts to forge or alter logs.

5. **Documentation**: Write clear documentation explaining how to set up and use the logging system. Include examples and best practices.

6. **Deployment**: Deploy the system in a real-world scenario where it can be tested under actual conditions. Monitor its performance and make adjustments as necessary.

Suggested Features:
- A web-based UI for viewing and searching through logs.
- Integration with popular logging frameworks like Logstash or Fluentd.
- Support for exporting logs in various formats for further analysis.
- An API for programmatically interacting with the logging system.
- Real-time notifications for certain types of actions.