ai-agentbom

v0.8.0 suspicious
6.0
Medium Risk

Offline AI agent bill of materials and attack surface scanner

πŸ€– AI Analysis

Final verdict: SUSPICIOUS

The package exhibits significant obfuscation and shell execution risks, suggesting potential for misuse. While there's no direct evidence of malicious intent, the high obfuscation risk and the use of subprocess execution warrant further investigation.

  • High obfuscation risk
  • Potential for unauthorized subprocess execution
Per-check LLM notes
  • Network: The package includes network calls to various libraries and external URLs which could indicate legitimate functionality but also potential data exfiltration.
  • Shell: Subprocess execution is detected, which can be used for legitimate purposes but may also pose a risk if it executes commands without proper user consent or input validation.
  • Obfuscation: The presence of code execution and network interaction patterns suggests potential for malicious activity.
  • Credentials: No clear signs of credential harvesting or secret handling detected.
  • Metadata: The maintainer has only one package, which may indicate a new or less active account, raising some suspicion but not enough to conclusively determine malice.

πŸ“¦ Package Quality Overall: Medium (5.8/10)

✦ High Test Suite 9.0

Test suite present β€” 11 test file(s) found

  • 11 test file(s) detected (e.g. test_cli.py)
β—ˆ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (6785 chars)
β—‹ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
β—ˆ Medium Type Annotations 5.0

Partial type annotation coverage

  • 344 type-annotated function signatures detected in source
β—ˆ Medium Multiple Contributors 6.0

Limited contributor diversity

  • 2 unique contributor(s) across 100 commits in vlcak27/agentbom
  • Two distinct contributors found

πŸ”¬ Heuristic Checks

⚠ Outbound Network Calls score 7.5

Found 5 network call pattern(s)

  • sts.", "httpx.", "aiohttp.", "urllib.request.")) for call in calls ) def _has_python_mcp_to
  • = 'gpt-4o'", "requests.get('https://example.com')", "subprocess.run(['e
  • ChatOpenAI", "requests.get('https://example.com')", ] ), en
  • : prompt})", "requests.get('https://example.com')", ] ), en
  • = 'gpt-4o'", "httpx.get('https://example.com')", "subprocess.run(['e
⚠ Code Obfuscation score 6.0

Found 3 obfuscation pattern(s)

  • ue"), "code_execution": ("eval(", "exec("), "network": ("requests.", "httpx.", "aiohttp
  • ("subprocess", "os.system", "eval(", "exec("), "risk": "high", }, { "c
  • llo'])", " eval('1 + 1')", " client.get('https://example.
⚠ Shell / Subprocess Execution score 4.0

Found 2 shell execution pattern(s)

  • not-store'", "subprocess.run(['echo', 'hello'])", ] ), encodi
  • = 'gpt-4o'", "subprocess.run(['echo', 'hello'])", ] ), encodi
βœ“ Credential Harvesting

No credential harvesting patterns detected

βœ“ Typosquatting

No typosquatting candidates detected

βœ“ Registered Email Domain

No author email provided

βœ“ Suspicious Page Links

All external links appear legitimate

βœ“ Git Repository History

Repository vlcak27/agentbom appears legitimate

⚠ Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "AgentBOM contributors" appears to have only 1 package on PyPI (new or inactive account)
βœ“ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

πŸ’‘ AI App Starter Prompt

Use this prompt to build a project with ai-agentbom 
Create a mini-application named 'AgentScanner' that leverages the 'ai-agentbom' package to scan and analyze the offline AI agent bill of materials and attack surfaces. This application should serve as a security tool for developers and system administrators who need to ensure their AI agents are secure against potential vulnerabilities. Here’s a step-by-step guide on how to develop this application:

1. **Setup**: Begin by installing the necessary Python packages, including 'ai-agentbom'. Ensure your development environment is set up correctly for Python.
2. **Core Functionality**: Develop the core functionality of scanning an AI agent's bill of materials and identifying any potential security issues. Use 'ai-agentbom' to parse and analyze the components and dependencies of the AI agent.
3. **Attack Surface Analysis**: Implement an analysis feature that identifies potential attack surfaces within the AI agent. This includes but is not limited to identifying insecure configurations, outdated libraries, and unsecured APIs.
4. **Reporting**: Create a reporting module that generates detailed reports based on the findings from the scans and analyses. These reports should include recommendations for mitigating identified risks.
5. **User Interface**: Design a simple command-line interface (CLI) for users to interact with 'AgentScanner'. Users should be able to specify the path to the AI agent they want to scan and choose between different scan types (e.g., quick scan, full scan).
6. **Integration with CI/CD**: Optionally, integrate 'AgentScanner' into a continuous integration/continuous deployment (CI/CD) pipeline so that it automatically runs during each build process to ensure new builds are secure.
7. **Documentation and Testing**: Write comprehensive documentation for 'AgentScanner', explaining how to install it, use it, and interpret the results. Also, implement unit tests to ensure the application works as expected under various conditions.

By following these steps, you will create a valuable tool that helps secure AI agents against potential threats, leveraging the powerful capabilities of the 'ai-agentbom' package.