Package Metadata

Author: —
Email: Microsoft Corporation <[email protected]>
PyPI: agentmesh-marketplace
Python: >=3.9
Versions: 10 releases
First release: 13 Apr 2026, 04:42 UTC
Analysed: 06 Jun 2026, 10:52 UTC
Source files: 36 .py files scanned

Project Links

Classifiers

Development Status :: 4 - BetaIntended Audience :: DevelopersLicense :: OSI Approved :: MIT LicenseProgramming Language :: Python :: 3Programming Language :: Python :: 3.10Programming Language :: Python :: 3.11Programming Language :: Python :: 3.12Programming Language :: Python :: 3.9Topic :: Scientific/Engineering :: Artificial IntelligenceTopic :: Software Development :: Libraries :: Application Frameworks

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits significant obfuscation techniques which may be used to hide malicious activities. While there is no direct evidence of harmful intent, the incomplete metadata and potential network risks raise concerns about its safety.

High obfuscation risk through XOR operations and dynamic imports
Incomplete author information and potential network risks

Per-check LLM notes

Network: The use of urllib to open URLs is common for downloading artifacts but could indicate potential risks if the URLs are controlled by an external party.
Shell: No shell execution patterns were detected.
Obfuscation: The use of XOR operation on base64 decoded data and dynamic imports suggests potential obfuscation to hide code logic.
Credentials: No clear patterns of credential harvesting detected.
Metadata: The author's information is incomplete and the maintainer seems new or inactive, raising some suspicion but not conclusive evidence of malice.

📦 Package Quality Overall: Medium (6.6/10)

✦ High Test Suite 9.0

Test suite present — 18 test file(s) found

18 test file(s) detected (e.g. test_artifact_fetch.py)

◈ Medium Documentation 5.0

Some documentation present

Detailed PyPI description (4000 chars)

○ Low Contributing Guide 4.0

No contributing guide or governance files found

Development Status classifier >= Beta

◈ Medium Type Annotations 5.0

Partial type annotation coverage

168 type-annotated function signatures detected in source

✦ High Multiple Contributors 10.0

Active multi-contributor project

14 unique contributor(s) across 100 commits in microsoft/agent-governance-toolkit
Active community — 5 or more distinct contributors

🔬 Heuristic Checks

⚠ Outbound Network Calls score 1.5

Found 1 network call pattern(s)

s only). with urllib.request.urlopen(artifact_url) as resp: # noqa: S310

⚠ Code Obfuscation score 6.0

Found 3 obfuscation pattern(s)

try: sig_bytes = base64.b64decode(manifest.signature) data = manifest.signable_bytes()
sig_bytes = bytearray(base64.b64decode(data["signature"])) sig_bytes[0] ^= 0x01 dat
ynamic import calls such as ``__import__("subprocess")`` or ``importlib.import_module("os")`` are **no

✓ Shell / Subprocess Execution

No shell execution patterns detected

✓ Credential Harvesting

No credential harvesting patterns detected

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

Email domain looks legitimate: microsoft.com>

✓ Suspicious Page Links

All external links appear legitimate

✓ Git Repository History

Repository microsoft/agent-governance-toolkit appears legitimate

⚠ Maintainer History score 4.0

2 maintainer concern(s) found

Author name is missing or very short
Author "" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with agentmesh-marketplace

Create a mini-application called 'AgentMesh Explorer' that leverages the 'agentmesh-marketplace' package to provide users with a comprehensive tool for managing plugins within the Agent Governance Toolkit ecosystem. This application should allow users to easily discover new plugins, install them directly from the app, verify their authenticity, and manage their installed plugins efficiently. Here are the key features you need to implement:

1. **Plugin Discovery**: Implement a feature where users can search for plugins by name or category. Utilize the 'agentmesh-marketplace' API to fetch plugin metadata such as descriptions, ratings, and usage statistics.
2. **Installation Manager**: Allow users to install discovered plugins directly from the application using the 'agentmesh-marketplace' package's installation capabilities. Ensure that users receive real-time feedback during the installation process.
3. **Verification Tool**: Integrate a verification system that checks if a plugin is genuine and up-to-date using the 'agentmesh-marketplace' package's verification methods. Display the verification status prominently on each plugin's page.
4. **Management Console**: Provide a console where users can view and manage their installed plugins. Include options to uninstall plugins, update them to the latest version, and check for any available updates.
5. **User Interface**: Design an intuitive user interface that makes it easy for users to navigate through the different features of 'AgentMesh Explorer'. Consider using modern UI/UX principles to enhance user experience.
6. **Security Features**: Ensure that all interactions with the 'agentmesh-marketplace' package are secure. Implement measures to protect user data and prevent unauthorized access to installed plugins.
7. **Documentation and Support**: Provide clear documentation on how to use 'AgentMesh Explorer' and integrate support channels where users can seek help or report issues.

By building 'AgentMesh Explorer', you will create a valuable tool for developers working with the Agent Governance Toolkit, streamlining the process of managing plugins and enhancing security and usability.