🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits significant risks related to shell execution, obfuscation techniques, and credential manipulation, suggesting potential malicious intent. However, it's not conclusively malicious without direct evidence of harmful behavior.

High shell risk due to subprocess.run
Potential for code injection via eval()
Intentional manipulation of system files for credential harvesting

Per-check LLM notes

Network: The use of httpx.Client for network calls could be legitimate, but the presence of URLs and tokens suggests potential external communication which needs further investigation.
Shell: Execution of external commands via 'subprocess.run' can introduce risks such as unintended command execution, especially when dealing with user inputs or untrusted sources.
Obfuscation: The use of eval() and accessing environment variables without proper sanitization suggests potential for code injection and misuse.
Credentials: The attempt to access and manipulate '/etc/passwd' file through symbolic links and zip archives indicates an intent to exploit system files, likely for credential harvesting.

📦 Package Quality Overall: Low (4.8/10)

✦ High Test Suite 9.0

Test suite present — 28 test file(s) found

Test runner config found: conftest.py
Test runner config found: pyproject.toml
28 test file(s) detected (e.g. conftest.py)

◈ Medium Documentation 7.0

Some documentation present

Documentation URL: "Documentation" -> https://docs.agentpowers.ai
Detailed PyPI description (1864 chars)

○ Low Contributing Guide 2.0

No contributing guide or governance files found

No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found

◈ Medium Type Annotations 5.0

Partial type annotation coverage

538 type-annotated function signatures detected in source

○ Low Multiple Contributors 1.0

Could not retrieve contributor data from GitHub

GitHub API error: 404

🔬 Heuristic Checks

⚠ Outbound Network Calls score 9.0

Found 6 network call pattern(s)

try: with httpx.Client() as client: response = client.get(url)
oken}" try: with httpx.Client() as http: resp = http.post( f"{
info.get("url", "") with httpx.Client() as http: response = http.get(url) response
try: with httpx.Client(timeout=self.timeout) as client: # Dispatch
try: with httpx.Client(timeout=self.timeout) as client: client.post
th_headers(auth) with httpx.Client(timeout=self.timeout) as client: response = clie

⚠ Code Obfuscation score 4.0

Found 2 obfuscation pattern(s)

"security_findings"] = ["Uses eval()", "Accesses env vars"] client.get.side_effect = [
ode == 0 assert "Uses eval()" in result.output assert "Accesses env vars" in re

⚠ Shell / Subprocess Execution score 4.0

Found 2 shell execution pattern(s)

efix="ap-scan-") result = subprocess.run( ["npx", source, "install", slug, "--no-input", "--d
status: result = subprocess.run( ["npx", source, "install", slug, "--no-inpu

⚠ Credential Harvesting score 10.0

Found 4 credential access pattern(s)

validate_slug("../../etc/passwd") def test_slug_dots_rejected(self) -> None: w
_symlink( target="/etc/passwd", link_name="evil_link", ) with
"""A member like 'foo/../../../etc/passwd' must be rejected.""" malicious_zip = _make_zip({
ip({ "foo/../../../etc/passwd": b"pwned", }) with pytest.raises(ValueErro

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

No author email provided

✓ Suspicious Page Links

All external links appear legitimate

⚠ Git Repository History score 3.0

Repository not found (deleted or private)

Repository not found (deleted or private)

⚠ Maintainer History score 2.0

1 maintainer concern(s) found

Author "Nate Ritter" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with agentpowers

Create a command-line tool called 'SkillMaster' using the Python package 'agentpowers'. This tool will allow users to easily manage marketplace skills related to AI agents. SkillMaster should have the following core functionalities:

1. **Skill Discovery**: Users should be able to search for available skills based on keywords or categories. The tool should display relevant information about each skill, such as its description, version, and any dependencies.
2. **Installation Management**: Users should be able to install, update, and uninstall skills directly from the command line. The tool should handle all necessary dependencies automatically.
3. **Publishing Skills**: Advanced users should be able to publish their own skills to the marketplace through the tool. This feature requires authentication and should include validation checks to ensure the skill meets the required standards.
4. **Skill Information**: Provide detailed information about installed skills, including usage instructions and examples.
5. **Version Control**: Allow users to specify which version of a skill they want to install or use.
6. **Dependency Management**: Automatically manage dependencies when installing or updating skills.
7. **User Interface**: Implement a user-friendly command-line interface with clear prompts and help documentation.
8. **Logging and Error Handling**: Ensure the tool logs all actions taken and provides meaningful error messages for troubleshooting.

To achieve these functionalities, you'll need to utilize the 'agentpowers' package extensively. For example, you might use it to query the marketplace for available skills, handle the installation process, and manage the publication of new skills. Additionally, consider integrating with other Python libraries for enhanced functionality, such as argparse for command-line parsing and requests for making HTTP requests if needed.

Your task is to design and implement SkillMaster from scratch, ensuring it adheres to best practices in Python development, including proper documentation, testing, and packaging for distribution.