Package Metadata

Author: —
Email: AlgoVoi <[email protected]>
PyPI: algovoi-webhook-verifier
Python: >=3.9
Versions: 1 release
First release: 31 May 2026, 10:32 UTC
Analysed: 06 Jun 2026, 22:02 UTC
Source files: 6 .py files scanned

Project Links

Classifiers

Development Status :: 4 - BetaIntended Audience :: DevelopersLicense :: OSI Approved :: Apache Software LicenseProgramming Language :: Python :: 3Programming Language :: Python :: 3.10Programming Language :: Python :: 3.11Programming Language :: Python :: 3.12Programming Language :: Python :: 3.9Topic :: Security :: CryptographyTopic :: Software Development :: Libraries :: Python Modules

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package has low risks in terms of network calls, shell execution, and obfuscation. However, its metadata, including the newly created repository with little activity and unknown maintainers, raises suspicion.

Recent repository creation
Minimal repository activity
Lack of maintainer history

Per-check LLM notes

Network: No network calls suggest normal behavior for a webhook verification package.
Shell: No shell execution suggests the package is not attempting to execute commands on the host system.
Obfuscation: No obfuscation patterns detected, indicating low risk of malicious obfuscation.
Credentials: No credential harvesting patterns detected, suggesting no immediate risk of secret theft.
Metadata: The repository's recent creation, minimal activity, and lack of maintainer history suggest potential risk.

📦 Package Quality Overall: Low (4.2/10)

✦ High Test Suite 9.0

Test suite present — 2 test file(s) found

Test runner config found: pyproject.toml
2 test file(s) detected (e.g. test_vectors.py)

○ Low Documentation 1.0

No documentation detected

No documentation URL, doc files, or meaningful description found

○ Low Contributing Guide 4.0

No contributing guide or governance files found

Development Status classifier >= Beta

◈ Medium Type Annotations 5.0

Partial type annotation coverage

7 type-annotated function signatures (partial)

○ Low Multiple Contributors 2.0

Single-author or unverifiable project

1 unique contributor(s) across 3 commits in chopmob-cloud/algovoi-webhook-verifier
Single author with few commits — possibly a personal or throwaway project

🔬 Heuristic Checks

✓ Outbound Network Calls

No suspicious network call patterns found

✓ Code Obfuscation

No obfuscation patterns detected

✓ Shell / Subprocess Execution

No shell execution patterns detected

✓ Credential Harvesting

No credential harvesting patterns detected

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

Email domain looks legitimate: algovoi.co.uk>

✓ Suspicious Page Links

All external links appear legitimate

⚠ Git Repository History score 7.5

Git history flags: Repository created very recently: 6 day(s) ago (2026-05-31T10:30:58Z)

Repository created very recently: 6 day(s) ago (2026-05-31T10:30:58Z)
Repository has zero stars and zero forks
Single contributor with only 3 commit(s) — possibly throwaway account

⚠ Maintainer History score 6.0

3 maintainer concern(s) found

Only one version has ever been released — brand new package
Author name is missing or very short
Author "" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with algovoi-webhook-verifier

Create a Flask-based web application that acts as a webhook receiver for AlgoVoi, utilizing the 'algovoi-webhook-verifier' package to ensure the integrity and authenticity of incoming webhook payloads. Your application should perform the following steps:

1. Set up a basic Flask server with two endpoints: one for receiving webhook payloads and another for testing purposes.
2. Implement a function to verify the signature of the received webhook payload using the 'algovoi-webhook-verifier' package, supporting both v1 HMAC-SHA256 and v2 HKDF-SHA256/HMAC-SHA384 signature schemes.
3. Upon successful verification, log the payload details (e.g., timestamp, event type, etc.) to a local file or a database.
4. If the signature verification fails, log the error and return an appropriate HTTP response indicating the failure.
5. For the test endpoint, provide a simple form where users can input a mock payload and its expected signature to simulate the verification process.
6. Ensure your application includes error handling for common issues such as malformed requests, missing signature, and invalid payload formats.
7. Document your code clearly, explaining each part of the verification process and how it integrates with the Flask framework.
8. Finally, write a brief README.md file detailing how to set up and run the application locally, including any prerequisites or dependencies.

Suggested additional features include:
- A dashboard within the Flask app to view recent verified webhook events.
- Integration with a logging service like Loggly or Papertrail for more robust logging.
- Support for multiple webhook signing keys to accommodate different environments or teams.