ai-finder

v0.3.8 suspicious
5.0
Medium Risk

AI Finder - AI artifact scanner for supply chain security

πŸ€– AI Analysis

Final verdict: SUSPICIOUS

The ai-finder package has moderate risks associated with network activity and metadata. While there is no clear evidence of malicious intent, the combination of these factors warrants closer scrutiny.

  • network risk due to potential unauthorized data exchange
  • metadata risk due to sparse author information
Per-check LLM notes
  • Network: The package establishes network sessions which could be used for legitimate purposes like fetching updates or package information, but further investigation is needed to ensure it's not being used for unauthorized data exchange.
  • Shell: No shell execution patterns detected, suggesting low risk for direct system command execution.
  • Obfuscation: No obfuscation patterns detected, indicating low risk.
  • Credentials: No credential harvesting patterns detected, indicating low risk.
  • Metadata: The author's information is sparse and the account seems new or inactive, raising some suspicion but not conclusive evidence of malice.

πŸ“¦ Package Quality Overall: Low (4.2/10)

β—‹ Low Test Suite 1.0

No test suite detected

  • No test files or test-runner configuration detected
β—ˆ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (4265 chars)
β—‹ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
β—ˆ Medium Type Annotations 7.0

Partial type annotation coverage

  • Type checker (mypy / pyright / pytype) referenced in project
  • 217 type-annotated function signatures detected in source
β—ˆ Medium Multiple Contributors 6.0

Limited contributor diversity

  • 2 unique contributor(s) across 31 commits in scanoss/ai-finder
  • Two distinct contributors found

πŸ”¬ Heuristic Checks

⚠ Outbound Network Calls score 7.5

Found 5 network call pattern(s)

  • meout self._session = requests.Session() def get_local_version(self) -> int: """Get th
  • rbose self._session = requests.Session() if token: self._session.headers["Autho
  • rbose self._session = requests.Session() def crawl(self, packages: list[str] | None = None) ->
  • """ self._session = requests.Session() if token: self._session.headers["Autho
  • r.""" self._session = requests.Session() def lookup_package(self, name: str, version: str | No
βœ“ Code Obfuscation

No obfuscation patterns detected

βœ“ Shell / Subprocess Execution

No shell execution patterns detected

βœ“ Credential Harvesting

No credential harvesting patterns detected

βœ“ Typosquatting

No typosquatting candidates detected

βœ“ Registered Email Domain

Email domain looks legitimate: scanoss.com>

βœ“ Suspicious Page Links

All external links appear legitimate

βœ“ Git Repository History

Repository scanoss/ai-finder appears legitimate

⚠ Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
βœ“ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

πŸ’‘ AI App Starter Prompt

Use this prompt to build a project with ai-finder 
Create a mini-application called 'SupplyChainGuard' using the Python package 'ai-finder'. This application aims to enhance supply chain security by scanning for potential AI artifacts that could pose risks. Here’s a detailed plan on how to build it:

1. **Setup**: Begin by installing 'ai-finder' and setting up your Python environment. Ensure you have the latest version of Python installed.
2. **Core Functionality**: Implement the core scanning functionality provided by 'ai-finder'. Your application should be able to scan a given directory or file system path for any AI artifacts that could be integrated into the supply chain without proper vetting.
3. **Risk Assessment**: Once identified, categorize these artifacts based on their risk levels (low, medium, high). This assessment could be based on factors like the origin of the artifact, its complexity, and known vulnerabilities.
4. **Reporting**: Develop a reporting feature that generates a comprehensive report of all findings. This report should include details such as the type of artifact, its location, risk level, and any recommendations for further action.
5. **User Interface**: Although not mandatory, consider adding a simple command-line interface (CLI) or even a basic GUI to make the tool more user-friendly.
6. **Security Measures**: Ensure that 'SupplyChainGuard' includes measures to protect against false positives and negatives. Consider integrating machine learning models to improve accuracy over time.
7. **Documentation**: Write clear documentation explaining how to use 'SupplyChainGuard', including setup instructions, usage examples, and API documentation if applicable.
8. **Testing**: Rigorously test the application to ensure it works as expected under various conditions. Include unit tests and integration tests where possible.

By following these steps, you will create a valuable tool that leverages 'ai-finder' to help organizations maintain better control over their AI supply chains.