ai-engineering

v0.10.1 suspicious
7.0
High Risk

AI governance framework for secure software delivery

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits high credential and obfuscation risks, indicating potential malicious intent. While other risks are moderate, the combination of accessing sensitive SSH keys and using obfuscated code execution mechanisms raises significant concerns.

  • High credential risk due to direct access to SSH keys
  • High obfuscation risk with base64 encoded eval function
Per-check LLM notes
  • Network: The network call patterns seem to be for making HTTP requests, possibly for API interactions, which is not inherently suspicious but should be reviewed for context.
  • Shell: The shell execution patterns involve Git and GitHub CLI commands, likely for version control operations. This is common for development tools but could indicate unintended behavior if used improperly.
  • Obfuscation: The presence of 'eval_encoded' with base64 decoding suggests potential for executing arbitrary code, which is risky.
  • Credentials: Direct reference to '~/.ssh/id_rsa' indicates an attempt to access sensitive SSH keys, highly suspicious.
  • Metadata: The maintainer has only one package and lacks PyPI classifiers, indicating low effort or inexperience.

📦 Package Quality Overall: Low (4.4/10)

✦ High Test Suite 9.0

Test suite present — 3 test file(s) found

  • 3 test file(s) detected (e.g. pyproject.toml)
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (6775 chars)
○ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 494 type-annotated function signatures detected in source
○ Low Multiple Contributors 1.0

Unable to verify contributor count: no GitHub repository found

  • No GitHub repository linked — contributor count unavailable

🔬 Heuristic Checks

Outbound Network Calls score 3.0

Found 2 network call pattern(s)

  • return False req = urllib.request.Request( target, data=body, method="
  • llib-request opener = urllib.request.urlopen with opener(req, timeout=timeout) as resp:
Code Obfuscation score 2.0

Found 1 obfuscation pattern(s)

  • "eval_encoded", re.compile(r"eval\s*\(\s*(base64|atob|decode|exec|compile)", re.IGNORECASE), "HIGH", ), Patte
Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • ne: try: result = subprocess.run( ("git", *args), cwd=cwd, capture_output=True, t
  • try: result = subprocess.run( ( "gh",
  • """ try: result = subprocess.run( ["git", "-C", str(project_root), *args],
  • """ try: result = subprocess.run( [ "gh", "pr",
  • ntracked.""" try: subprocess.run( ["git", "-C", str(project_root), "mv", str(src)
  • ntracked.""" try: subprocess.run( ["git", "-C", str(project_root), "rm", str(targ
Credential Harvesting score 2.5

Found 1 credential access pattern(s)

  • rm embedded inline (e.g. "cat ~/.ssh/id_rsa"). return pattern in content or _expand_user_path(p
Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 4.0

2 maintainer concern(s) found

  • Author "ai-engineering maintainers" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with ai-engineering 
Develop a mini-application named 'SecureCodePipeline' using the 'ai-engineering' package to streamline and secure the software development lifecycle (SDLC). This application should serve as a bridge between developers and security teams, ensuring that every code commit adheres to predefined security policies and best practices. Here are the steps and features you should include in your project:

1. **Setup**: Begin by setting up the project environment. Install the 'ai-engineering' package and any other necessary dependencies.
2. **Configuration**: Allow users to configure their security policies through a YAML file. Policies could include restrictions on certain API calls, mandatory use of encryption, or specific coding standards.
3. **Integration**: Integrate the application into a version control system like Git. It should automatically scan each commit for compliance with the configured security policies.
4. **Analysis**: Use the 'ai-engineering' package to analyze code commits. The analysis should flag potential security vulnerabilities and suggest improvements.
5. **Reporting**: Implement a reporting feature that provides a summary of the security checks performed, highlighting any issues found and their severity levels.
6. **Feedback Loop**: Enable a feedback loop where developers receive immediate notifications about non-compliance issues. Provide suggestions on how to resolve these issues.
7. **Documentation**: Generate comprehensive documentation that explains how to set up and use 'SecureCodePipeline', including examples of common security policies and how they can be implemented.

By leveraging the 'ai-engineering' package, ensure that the application can dynamically adapt to changes in security requirements and provide real-time feedback during the SDLC.