agentguard-tool

v6.0.0 suspicious
6.0
Medium Risk

AI-native quality gate for agent-generated code — scan, audit, auto-fix, trend

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits a moderate risk level primarily due to high shell risk and obfuscation risk, with additional concerns over credential handling and metadata indicators suggesting potential supply-chain risks.

  • High shell risk due to potential shell injection vulnerabilities.
  • Obfuscation risk from use of eval(), exec() methods.
Per-check LLM notes
  • Network: No network calls detected.
  • Shell: High risk due to potential shell injection vulnerabilities.
  • Obfuscation: 使用eval(), exec()等方法存在任意代码执行的风险,但未发现直接恶意使用,可能存在合法编码需求。
  • Credentials: 检测到环境变量和配置文件中的敏感信息读取操作,需确认其合法性以避免潜在的凭据泄露风险。
  • Metadata: The maintainer has a new or inactive PyPI account and the repository lacks community engagement.

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation score 10.0

Found 6 obfuscation pattern(s)

  • 检测代码中的危险函数调用,这些在AI生成的代码中常见: - eval() / exec() — 任意代码执行 - __import__() — 动态导入 - os.system() / os
  • , 代码显示, 描述) ([], "eval", "eval(...)", "任意代码执行 ❌"), ([], "exec", "exec(...)", "任意代码执行 ❌"
  • # 情况1: 直接函数调用 eval(...) if isinstance(func, ast.Name):
  • 注释忽略特定规则 用法示例: ```python x = eval(user_input) # gate:ignore unsafe_api os.system(cmd) # gate
  • pickle\n\n") f.write('eval("1+1")\n') f.write('os.system("ls")\n') f.wr
  • - eval() / exec() — 任意代码执行 - __import__() — 动态导入 - os.system() / os.popen() — shell注入 - subprocess.Po
Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • 意代码执行 - __import__() — 动态导入 - os.system() / os.popen() — shell注入 - subprocess.Popen(shell=True) — sh
  • ⚠️"), (["os"], "system", "os.system()", "Shell命令注入 ❌"), (["os"], "popen", "os.popen()", "She
  • # 情况2: 属性调用 os.system(...) elif isinstance(func, ast.Attribute):
  • ut) # gate:ignore unsafe_api os.system(cmd) # gate:ignore unsafe_api 这个场景安全 ``` 抑制格式: - `# gate:i
  • l("1+1")\n') f.write('os.system("ls")\n') f.write('subprocess.Popen("ls", shell=True
  • rt__() — 动态导入 - os.system() / os.popen() — shell注入 - subprocess.Popen(shell=True) — shell注入 - pickl
Credential Harvesting score 2.5

Found 1 credential access pattern(s)

  • f: f.write('API_KEY = os.getenv("API_KEY")\n') f.write('secret = config["secret"]\n')
Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History score 2.5

Git history flags: Repository has zero stars and zero forks

  • Repository has zero stars and zero forks
Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "Hermes Labs" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with agentguard-tool 
Your task is to develop a comprehensive mini-application named 'CodeGuard' that leverages the capabilities of the 'agentguard-tool' package to ensure the quality and safety of code generated by AI agents. This application will serve as an AI-native quality gate, providing real-time feedback and automatic corrections to enhance code quality and maintainability.

Key Features:
1. **Code Scanning**: Implement a feature that allows users to upload or input code snippets. CodeGuard will use 'agentguard-tool' to scan the code for potential issues related to security, performance, and adherence to best coding practices.
2. **Audit Reports**: Upon scanning, generate detailed audit reports that highlight areas needing improvement. These reports should include recommendations on how to fix identified issues.
3. **Automatic Fixes**: Utilize 'agentguard-tool' to automatically apply fixes for certain types of issues detected during the scan. Users should have the option to review and approve these changes before they are applied.
4. **Trend Analysis**: Track the history of scanned code snippets and their respective quality scores over time. Display this data in a user-friendly dashboard to help identify trends and improvements.
5. **Customizable Rules**: Allow users to define their own rules for what constitutes 'high-quality' code. This could include custom scoring systems based on specific coding standards or company policies.
6. **Integration Capabilities**: Develop integration options for popular development environments like VSCode or GitHub, allowing seamless usage of CodeGuard within existing workflows.

Steps to Build the Application:
1. Set up your development environment with Python and install the 'agentguard-tool' package.
2. Design the user interface for uploading code snippets and viewing results.
3. Integrate 'agentguard-tool' into your application for code scanning and auditing functionalities.
4. Implement automatic fixing capabilities based on the findings from the scans.
5. Create a database system to store historical data and facilitate trend analysis.
6. Develop customizable rule settings and integrate them into the scanning process.
7. Test the application thoroughly to ensure all features work as expected and are user-friendly.
8. Deploy the application and provide documentation for users to understand its functionalities and benefits.

By following these steps and utilizing the powerful features of 'agentguard-tool', you'll create a valuable tool that significantly enhances the quality and reliability of code generated by AI agents.