AI Analysis
Final verdict: SUSPICIOUS
The package exhibits moderate risk due to its network activity and incomplete metadata, raising concerns about its reliability and potential for supply-chain attacks.
- The package makes network calls, which could be used for data exchange or updates.
- Lack of maintainer information and a GitHub link suggests potential unreliability.
Per-check LLM notes
- Network: The package makes network calls which could potentially be used for data exchange or updates, but without additional context, it's hard to determine if this is malicious.
- Shell: Subprocess calls appear to be testing command-line interface functionality, which is common in CLI tools, suggesting benign use.
- Obfuscation: The observed patterns suggest standard cryptographic operations using base64 encoding and decoding, which are common practices for handling sensitive data securely.
- Credentials: No suspicious patterns indicating credential harvesting were detected.
- Metadata: The package has some red flags, including lack of maintainer information and a GitHub link, suggesting potential unreliability.
Package Quality Overall: Medium (5.6/10)
✦ High
Test Suite
9.0
Test suite present — 4 test file(s) found
Test runner config found: pyproject.toml4 test file(s) detected (e.g. test_cli.py)
◈ Medium
Documentation
7.0
Some documentation present
Documentation URL: "Documentation" -> https://aigentsy.com/data/proof_bundle_spec.mdDetailed PyPI description (5842 chars)
○ Low
Contributing Guide
4.0
No contributing guide or governance files found
Development Status classifier >= Beta
◈ Medium
Type Annotations
7.0
Partial type annotation coverage
Classifier: Typing :: Typed38 type-annotated function signatures detected in source
○ Low
Multiple Contributors
1.0
Unable to verify contributor count: no GitHub repository found
No GitHub repository linked — contributor count unavailable
Heuristic Checks
Outbound Network Calls
score 7.5
Found 5 network call pattern(s)
ation from {url}") resp = urllib.request.urlopen(url, timeout=15) return json.loads(resp.read())e from {url}") resp = urllib.request.urlopen(url, timeout=15) return json.loads(resp.readion resp = json.loads(urllib.request.urlopen( "https://aigentsy-ame-runtime.onrender.equest try: with urllib.request.urlopen(url, timeout=10) as resp: data = json.lotry: with urllib.request.urlopen(demo_bundle_url, timeout=10) as r: b
Code Obfuscation
score 10.0
Found 6 obfuscation pattern(s)
) signature = base64.b64decode(signature_base64) raw_key = base64.b64decode(public_ure_base64) raw_key = base64.b64decode(public_key_base64) pub_key = Ed25519PublicKey.from_p} try: pub_raw = base64.b64decode(key_entry["public_key_base64"], validate=True) if lent, key_id) sig_raw = base64.b64decode(sig_b64, validate=True) pub.verify(sig_raw, msg)) signature = base64.b64decode(sth.get("signature", "")) raw_key = base64.b64decodeture", "")) raw_key = base64.b64decode(public_key_base64) pub_key = Ed25519PublicKey.from_p
Shell / Subprocess Execution
score 10.0
Found 6 shell execution pattern(s)
"] def test_help(): r = subprocess.run(CLI_MODULE + ["--help"], capture_output=True, text=True)def test_version(): r = subprocess.run(CLI_MODULE + ["--version"], capture_output=True, text=True)test_bundle_verify(): r = subprocess.run(CLI_MODULE + ["bundle", SAMPLE_BUNDLE], capture_output=True,bundle_json_output(): r = subprocess.run(CLI_MODULE + ["bundle", SAMPLE_BUNDLE, "--json"], capture_outest_missing_file(): r = subprocess.run(CLI_MODULE + ["bundle", "nonexistent.json"], capture_output=_text("not json {{{") r = subprocess.run(CLI_MODULE + ["bundle", str(bad)], capture_output=True, text
Credential Harvesting
No credential harvesting patterns detected
Typosquatting
No typosquatting candidates detected
Registered Email Domain
Email domain looks legitimate: aigentsy.com>
Suspicious Page Links
All external links appear legitimate
Git Repository History
No GitHub repository linked
No GitHub repository link found
Maintainer History
score 4.0
2 maintainer concern(s) found
Author name is missing or very shortAuthor "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities
No known vulnerabilities found in OSV database.
AI App Starter Prompt
Use this prompt to build a project with aigentsy-verify
Create a Python-based mini-application called 'ProofChecker' that leverages the 'aigentsy-verify' package to provide standalone offline verification of AiGentsy ProofPack v2 bundles, attestations, and policy_layer displays. This tool will enable users to verify the integrity and authenticity of digital proofs without requiring an internet connection, ensuring privacy and security. The application should include the following core functionalities: 1. Load and parse an AiGentsy ProofPack v2 bundle from a file or input stream. 2. Verify the bundle's signature and ensure it has not been tampered with. 3. Extract and validate individual attestations within the bundle. 4. Display the policy_layer information in a user-friendly format. 5. Provide feedback on the verification status of each component (bundle, attestations). Additionally, consider implementing these optional features to enhance usability: - A command-line interface (CLI) for easy interaction. - Integration with a simple GUI for non-technical users. - Support for multiple file formats (e.g., JSON, binary). - Detailed logs and error messages for troubleshooting. - An option to save the verification results to a file. To utilize the 'aigentsy-verify' package, follow these steps: 1. Install the package using pip: `pip install aigentsy-verify`. 2. Use the package's functions to load and verify the ProofPack bundle. 3. Implement error handling to manage invalid inputs or failed verifications. 4. Utilize the package's capabilities to extract and display policy_layer data. 5. Ensure all interactions with the package are efficient and secure. This project aims to create a robust, user-friendly tool for verifying digital proofs in a privacy-conscious manner.