AI Analysis
Final verdict: SUSPICIOUS
The package is assessed as suspicious due to its moderate network and shell execution risks, despite having no evident credential or obfuscation risks. Low maintainer activity and incomplete metadata further add to the uncertainty.
- Moderate network risk from external URL calls.
- High risk associated with executing shell commands.
- Low maintainer activity and incomplete metadata.
Per-check LLM notes
- Network: The package makes network calls to external URLs which could be unexpected and potentially risky if not documented clearly.
- Shell: Executing shell commands with user-defined inputs can pose significant risks, including potential for data exfiltration or execution of unauthorized code.
- Obfuscation: No obfuscation patterns detected, indicating low risk.
- Credentials: No credential harvesting patterns detected, indicating low risk.
- Metadata: The package shows low maintainer activity and lacks standard metadata, raising some suspicion but not definitive signs of malice.
Package Quality Overall: Low (2.8/10)
○ Low
Test Suite
1.0
No test suite detected
No test files or test-runner configuration detected
◈ Medium
Documentation
5.0
Some documentation present
Detailed PyPI description (6233 chars)
○ Low
Contributing Guide
2.0
No contributing guide or governance files found
No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium
Type Annotations
5.0
Partial type annotation coverage
96 type-annotated function signatures detected in source
○ Low
Multiple Contributors
1.0
Unable to verify contributor count: no GitHub repository found
No GitHub repository linked — contributor count unavailable
Heuristic Checks
Outbound Network Calls
No suspicious network call patterns found
Code Obfuscation
No obfuscation patterns detected
Shell / Subprocess Execution
score 6.0
Found 3 shell execution pattern(s)
抓取 URL 并解析为 JSON。""" r = subprocess.run( ["curl", "-s", "--max-time", str(timeout)] + _rand_astmoney.com/", ] r = subprocess.run( ["curl", "-s", "--max-time", str(timeout)] + header] cmd.append(url) r = subprocess.run(cmd, capture_output=True, text=True) return r.stdout ""
Credential Harvesting
No credential harvesting patterns detected
Typosquatting
No typosquatting candidates detected
Registered Email Domain
No author email provided
Suspicious Page Links
All external links appear legitimate
Git Repository History
No GitHub repository linked
No GitHub repository link found
Maintainer History
score 6.0
3 maintainer concern(s) found
Author name is missing or very shortAuthor "" appears to have only 1 package on PyPI (new or inactive account)Package has no PyPI classifiers (low effort / metadata quality)
Known CVE Vulnerabilities
No known vulnerabilities found in OSV database.
AI App Starter Prompt
Use this prompt to build a project with akfund-mcp
Create a Python-based mini-application named 'FundWiz' that integrates the 'akfund-mcp' package to provide users with real-time insights into Chinese mutual funds and the broader market. FundWiz should allow users to input specific fund codes and receive detailed information such as real-time estimates, historical Net Asset Value (NAV), sector-specific stock quotes, and aggregated financial news. Additionally, implement a feature that allows users to compare multiple funds side by side, highlighting key performance indicators like returns, volatility, and risk-adjusted returns. The application should also include a news aggregator that fetches and displays recent financial news relevant to the Chinese market. Ensure that the user interface is intuitive and easy to navigate, providing both textual and graphical outputs where appropriate. Utilize 'akfund-mcp' to fetch all necessary data directly from its API endpoints, ensuring that the app updates in real-time for the most accurate information. Finally, consider adding a feature that sends daily summaries of key market events and fund performances via email or SMS.