agentic-aqua

v0.4.1 suspicious
6.0
Medium Risk

Agentic AQUA — MCP server for Liquid Network and Bitcoin wallet operations

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits moderate risks, particularly concerning potential credential exposure and obfuscation techniques. While it's not conclusive evidence of malicious intent, these indicators suggest caution and further scrutiny.

  • High credential risk
  • Significant obfuscation risk
Per-check LLM notes
  • Network: The network call patterns indicate the package is making HTTP requests, which could be legitimate for fetching data or updates but should be reviewed for destinations and purposes.
  • Shell: No shell execution patterns were detected, suggesting low risk of direct system command execution.
  • Obfuscation: Base64 decoding without context suggests possible obfuscation of sensitive information.
  • Credentials: Access to potentially sensitive files and paths indicates risk of credential harvesting.
  • Metadata: The author information is incomplete, and the maintainer seems to be new or inactive, which raises some suspicion but not enough to conclusively identify it as malicious.

🔬 Heuristic Checks

Outbound Network Calls score 6.0

Found 4 network call pattern(s)

  • body else None req = urllib.request.Request( url, data=data,
  • try: with urllib.request.urlopen(req, timeout=30) as resp: return jso
  • None else None req = urllib.request.Request( url, data=data,
  • try: with urllib.request.urlopen(req, timeout=HTTP_TIMEOUT_SECONDS) as resp:
Code Obfuscation score 6.0

Found 3 obfuscation pattern(s)

  • h password.""" data = base64.b64decode(encrypted) salt = data[:SALT_LENGTH] encrypt
  • "plain:"): return base64.b64decode(stored[6:]).decode() if not password: ra
  • @pytest.mark.skipif( __import__("sys").platform == "win32", reason="POSIX file permissions
Shell / Subprocess Execution

No shell execution patterns detected

Credential Harvesting score 5.0

Found 2 credential access pattern(s)

  • storage._pix_swap_path("../etc/passwd") @pytest.mark.skipif( __import__("sys").platf
  • trize("name", [ "../../etc/passwd", "../evil", "wallet/name", "wallet
Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: example.com>

Suspicious Page Links

All external links appear legitimate

Git Repository History

Repository jan3dev/agentic-aqua appears legitimate

Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with agentic-aqua 
Develop a mini-application named 'CryptoLiquidTrader' that integrates the 'agentic-aqua' package to enable users to manage their Bitcoin wallets and perform transactions on the Liquid Network. This application should allow users to view their wallet balance, send Bitcoin to other addresses, receive Bitcoin, and track transaction history.

The application should include the following core functionalities:
1. User Authentication: Implement a secure login system where users can register and log in using a username and password.
2. Wallet Management: Allow users to view their current Bitcoin balance on the Liquid Network.
3. Transaction Sending: Enable users to send Bitcoin to other Liquid Network addresses with options to specify the amount and any additional notes.
4. Transaction Receiving: Provide a feature where users can generate a unique address to receive Bitcoin payments.
5. Transaction History: Display a history of all transactions performed by the user, including details such as the date, time, sender/receiver, and amount.
6. Notifications: Send email notifications to users for important events like successful transactions or low balance warnings.
7. API Integration: Offer a RESTful API that exposes endpoints for the above functionalities, allowing third-party applications to interact with the CryptoLiquidTrader app.

Utilize the 'agentic-aqua' package to handle all interactions with the Liquid Network and Bitcoin wallet operations. Specifically, use its MCP server capabilities to manage connections to the Liquid Network and execute wallet commands securely. Ensure that the application is designed with security best practices in mind, such as encrypting sensitive data and implementing proper error handling.