ai-security-scan

v0.4.0 suspicious
6.0
Medium Risk

Multi-domain code quality + compliance gate for AI-generated apps. Security scanning, linting, SAST, SCA, IaC, container - plus HIPAA, SOC 2, OWASP, and FedRAMP compliance with auto-fix, manual-action checklist, and per-endpoint vulnerability mapping.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits significant risks related to shell usage and code obfuscation techniques, which are concerning indicators of potential security vulnerabilities or malicious intent.

  • High risk due to use of shell=True
  • High risk due to presence of eval()
Per-check LLM notes
  • Network: Direct use of user-supplied URLs in network calls without validation is risky and could potentially be used for data exfiltration or C2 communications.
  • Shell: The use of shell=True in subprocess.run is unsafe and can lead to arbitrary code execution if input is not properly sanitized, suggesting potential for malicious activity.
  • Obfuscation: The presence of eval() and related patterns suggests potential for code injection and obfuscation, indicating a high risk.
  • Credentials: While the mention of AWS credentials and OIDC-based auth does not directly indicate credential harvesting, it could imply improper handling of secrets, suggesting a moderate risk.
  • Metadata: The maintainer has an incomplete profile and may be new or inactive, raising some suspicion but not definitive evidence of malice.

📦 Package Quality Overall: Medium (6.2/10)

✦ High Test Suite 9.0

Test suite present — 9 test file(s) found

  • Test runner config found: pyproject.toml
  • 9 test file(s) detected (e.g. test_agents.py)
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (15109 chars)
○ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
◈ Medium Type Annotations 7.0

Partial type annotation coverage

  • Type checker (mypy / pyright / pytype) referenced in project
  • 222 type-annotated function signatures detected in source
◈ Medium Multiple Contributors 6.0

Limited contributor diversity

  • 2 unique contributor(s) across 22 commits in nometria/security-scanner
  • Two distinct contributors found

🔬 Heuristic Checks

Outbound Network Calls score 1.5

Found 1 network call pattern(s)

  • ser-supplied URLs directly to requests.get() or fetch() without " "validation enables Server-Si
Code Obfuscation score 10.0

Found 6 obfuscation pattern(s)

  • 'function run(input) { return eval(input); }'}, expected_rule="SEC-003", descri
  • on parseInput(input) { return eval(input); } // VULN_037: eval in template
  • rocessTemplate(t, d) { return eval("`" + t + "`"); } // VULN_038: new Function
  • to repo SEC-003 Dangerous eval() / exec() usage SEC-004 SQL injection risk patterns SE
  • g]: """SEC-003: Dangerous eval() / exec() / new Function() usage. Skips method calls l
  • re). Only matches global `eval(`, top-level `exec(` (Python), and `new Function(`. """
Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • try: proc = subprocess.run(["ruff", "check", "--fix", str(root)],
  • try: proc = subprocess.run(["eslint", "--fix", str(root)],
  • e.""" try: proc = subprocess.run( ["git"] + args, cwd=cwd,
  • " # Unsafe:\n" " subprocess.run(f'convert {user_file} output.pdf', shell=True)\n" "
  • " # Safe:\n" " subprocess.run(['convert', user_file, 'output.pdf'], shell=False)" )
  • try: proc = subprocess.run( cmd, cwd=cwd,
Credential Harvesting score 2.5

Found 1 credential access pattern(s)

  • l dev, use AWS_PROFILE with ~/.aws/credentials. " "For CI/CD, use OIDC-based auth (no static keys)
Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

Repository nometria/security-scanner appears legitimate

Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with ai-security-scan 
Create a comprehensive security audit tool for AI applications using the 'ai-security-scan' Python package. This tool will serve as a one-stop solution for developers to ensure their AI projects meet strict security and compliance standards. The application should include the following key functionalities:

1. **Security Scanning**: Automatically scan AI application code for common vulnerabilities, including but not limited to SQL injection, cross-site scripting (XSS), and insecure API usage.
2. **Code Quality Linting**: Provide feedback on coding practices to improve code readability and maintainability, ensuring adherence to best practices.
3. **Static Application Security Testing (SAST)**: Analyze source code to detect potential security weaknesses.
4. **Software Composition Analysis (SCA)**: Identify open-source components within the application and check them against known vulnerabilities.
5. **Infrastructure as Code (IaC) Review**: Ensure that infrastructure configurations comply with security policies and best practices.
6. **Container Security**: Scan Docker images and containers for vulnerabilities and misconfigurations.
7. **Compliance Checks**: Verify that the application complies with regulatory requirements such as HIPAA, SOC 2, OWASP, and FedRAMP.
8. **Auto-Fix Recommendations**: Offer automated fixes for detected issues where possible.
9. **Manual Action Checklist**: For issues that cannot be automatically fixed, provide a detailed checklist of actions required to address the problem.
10. **Vulnerability Mapping**: Create a visual map linking each endpoint of the application to its identified vulnerabilities.

The tool should output a comprehensive report detailing the findings from each of these scans, along with actionable recommendations. It should also allow users to specify which compliance frameworks they wish to adhere to, tailoring the audit process accordingly. Utilize the 'ai-security-scan' package's capabilities to streamline the integration of these features into a cohesive and user-friendly interface.