AI Analysis
Final verdict: SUSPICIOUS
The package exhibits significant obfuscation and shell execution capabilities, which are concerning given the lack of clear documentation or purpose explanation. While there are no direct indications of malicious activity, the combination of these factors raises suspicion.
- High obfuscation risk
- Potential for shell execution
Per-check LLM notes
- Network: No network calls detected, which is not unusual but may warrant further investigation if the package's purpose includes network operations.
- Shell: Shell execution detected may be legitimate if the package performs tasks requiring shell access, however, it increases risk as it could potentially execute arbitrary code.
- Obfuscation: The code shows signs of obfuscation with environment variable manipulation and potential for executing arbitrary commands, raising concerns about its intent.
- Credentials: No clear patterns indicating credential harvesting were found, but further investigation is advised.
- Metadata: The recent burst of commits and the maintainer's new or inactive account status raise some suspicion, but there are no clear indicators of typosquatting or malicious intent.
Heuristic Checks
Outbound Network Calls
No suspicious network call patterns found
Code Obfuscation
score 2.0
Found 1 obfuscation pattern(s)
timeout=5, env={**__import__("os").environ, **env}, ) return json.loads(result.stdout)
Shell / Subprocess Execution
score 4.0
Found 2 shell execution pattern(s)
r(contract_path) result = subprocess.run( [sys.executable, str(HOOK_PY)], input=json._json(self): result = subprocess.run( [sys.executable, str(HOOK_PY)], inp
Credential Harvesting
No credential harvesting patterns detected
Typosquatting
No typosquatting candidates detected
Registered Email Domain
No author email provided
Suspicious Page Links
All external links appear legitimate
Git Repository History
score 2.5
Git history flags: All 16 commits happened within 24 hours
All 16 commits happened within 24 hours
Maintainer History
score 2.0
1 maintainer concern(s) found
Author "Varun Pratap Bhardwaj" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities
No known vulnerabilities found in OSV database.
AI App Starter Prompt
Use this prompt to build a project with agentassert-typec-claude-code
Create a command-line utility called 'ClaudeGuard' that leverages the 'agentassert-typec-claude-code' package to ensure that all commands executed through the Claude Code CLI adhere to specific behavioral contracts. This utility will serve as a safety net, preventing unauthorized or potentially harmful operations from being carried out within a development environment. Step-by-Step Guide: 1. Set up a virtual environment and install the necessary packages, including 'agentassert-typec-claude-code'. 2. Define a set of behavioral contracts that your utility will enforce. These contracts could include restrictions such as limiting the execution of certain commands based on user permissions, ensuring that only safe operations are performed, or enforcing specific workflows. 3. Implement a function that intercepts commands before they are passed to the Claude Code CLI. Use the 'agentassert-typec-claude-code' package to check if these commands meet the defined behavioral contracts. 4. If a command fails to meet a contract, ClaudeGuard should prevent its execution and notify the user about the violation. 5. Provide an option for users to customize their own behavioral contracts, allowing them to tailor the enforcement rules according to their specific needs. 6. Ensure that ClaudeGuard integrates seamlessly with the existing Claude Code CLI workflow without disrupting user experience. 7. Include comprehensive documentation detailing how to use ClaudeGuard effectively, along with examples of common scenarios where it can be particularly useful. Suggested Features: - A user-friendly interface that allows easy configuration of behavioral contracts. - Detailed logs of all intercepted commands and their outcomes, aiding in troubleshooting and auditing. - Support for multiple levels of user permissions, allowing fine-grained control over command execution. - The ability to automatically update the list of enforced behavioral contracts based on predefined criteria or user input.