agentlings

v0.13.1 suspicious
6.0
Medium Risk

Lightweight A2A + MCP single-process agent framework

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package has significant risks due to insecure network configurations and unsafe use of shell commands, which can lead to severe vulnerabilities. While there's no direct evidence of malicious intent, the package should be handled with caution.

  • High risk from use of 'shell=True' in subprocess calls.
  • Potential for insecure network configurations leading to external attacks.
Per-check LLM notes
  • Network: Network calls suggest external configuration fetching which could be legitimate but also risky if unsecured.
  • Shell: Use of shell=True in subprocess.run is highly risky and can lead to arbitrary code execution if command inputs are not properly sanitized.
  • Obfuscation: No obfuscation patterns detected, indicating low risk.
  • Credentials: No credential harvesting patterns detected, indicating low risk.
  • Metadata: Suspicious non-HTTPS links and incomplete maintainer information suggest potential risk, but no clear indicators of malicious intent.

🔬 Heuristic Checks

Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • penid-configuration" with httpx.Client(timeout=10.0) as client: response = client.get(disco
  • api_key, } async with httpx.AsyncClient(timeout=10.0) as client: response = await client.get
  • body. """ async with httpx.AsyncClient(follow_redirects=True, timeout=timeout_seconds) as client:
  • nfig_kwargs["httpx_client"] = httpx.AsyncClient( timeout=self._request_timeout,
  • str, Any]: async with httpx.AsyncClient() as http: resp = await http.post(
  • } async with httpx.AsyncClient() as http: resp = await http.post(
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 4.0

Found 2 shell execution pattern(s)

  • try: result = subprocess.run( command, shell=True,
  • command, shell=True, capture_output=True, text=
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: gmail.com>

Suspicious Page Links score 6.0

Found 3 suspicious link(s) on the package page

  • Non-HTTPS external link: http://www.apple.com/DTDs/PropertyList-1.0.dtd
  • Non-HTTPS external link: http://otel-collector:4318
  • Non-HTTPS external link: http://collector:4318
Git Repository History

Repository andyjmorgan/DonkeyWork-Agentlings appears legitimate

Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with agentlings 
Build a simple Python application using the agentlings package to demonstrate its core features.