agenthatch

v0.6.2 suspicious
7.0
High Risk

Turn any SKILL.md into a runnable AI Agent

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits several concerning behaviors, including potential network risks and shell execution capabilities, which pose significant threats. Additionally, the metadata suggests unreliable origins.

  • High network and shell execution risks
  • Observed obfuscation practices
  • Unreliable metadata and origin
Per-check LLM notes
  • Network: The observed network patterns indicate potential external communication which could be used for data exfiltration or C2 activities.
  • Shell: The use of shell execution commands suggests the package may execute arbitrary commands, posing a high risk for potential misuse or exploitation.
  • Obfuscation: The code attempts to import packages and handles failures silently, which is an unusual pattern that may indicate obfuscation or evasion techniques.
  • Credentials: No clear evidence of credential harvesting is present in the provided code snippet.
  • Metadata: The package has red flags including an absent maintainer history and a non-existent git repository, indicating potential unreliability.

🔬 Heuristic Checks

Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • f"{url}?{qs}" req = urllib.request.Request(req_url, method=method, headers=headers) if
  • de("utf-8") req = urllib.request.Request( req_url, data=data, method=method,
  • try: with urllib.request.urlopen(req, timeout=30) as resp: return res
  • pped}/v1/models" r = httpx.get( url, headers=auth_headers,
  • httpx self._client = httpx.Client(timeout=60.0) init_resp = self.send_request({
  • httpx self._client = httpx.Client(timeout=60.0) # MCP protocol handshake: initialize →
Code Obfuscation score 2.0

Found 1 obfuscation pattern(s)

  • x"): try: __import__(pkg) except ImportError: missing.append(pkg)
Shell / Subprocess Execution score 8.0

Found 4 shell execution pattern(s)

  • try: result = subprocess.run( cmd_parts, capture_output=T
  • -> None: self._proc = subprocess.Popen( [self._config.command] + self._config.args,
  • try: result = subprocess.run( ["bash", "-c", command], ca
  • try: result = subprocess.run( ["python3", "-c", code], ca
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: outlook.com>

Suspicious Page Links

All external links appear legitimate

Git Repository History score 3.0

Repository not found (deleted or private)

  • Repository not found (deleted or private)
Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with agenthatch 
Create a mini-application named 'SkillBot' that automates the process of turning markdown files containing skills descriptions into executable AI agents using the 'agenthatch' package. The application should be user-friendly and allow users to upload a .md file containing skill descriptions in the SKILL.md format, which the application will then convert into an AI agent capable of performing tasks described within the uploaded document. Additionally, implement a feature that allows users to interact with these agents via a simple command-line interface or a web-based interface. Include error handling to ensure robustness against malformed input files and provide a clear output indicating whether the conversion was successful or if there were issues. The final product should showcase the versatility and ease-of-use of the 'agenthatch' package.