all-repos

v1.32.0 suspicious
5.0
Medium Risk

Clone all your repositories and apply sweeping changes.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits moderate signs of obfuscation and has metadata that raises concerns, but there is no definitive evidence of malicious activity.

  • Obfuscation risk of 7/10
  • New maintainer with only one package
  • One non-HTTPS link
Per-check LLM notes
  • Obfuscation: The observed patterns suggest an attempt to obfuscate the import process of modules, which could be indicative of evasion techniques or hiding malicious functionality.
  • Credentials: No clear signs of credential harvesting are present based on the provided code snippets.
  • Metadata: The package has one non-HTTPS link and a new maintainer with a single package, which could indicate potential risk but lacks clear evidence of malicious intent.

📦 Package Quality Overall: Low (4.6/10)

○ Low Test Suite 1.0

No test suite detected

  • No test files or test-runner configuration detected
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (21195 chars)
○ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 114 type-annotated function signatures detected in source
✦ High Multiple Contributors 10.0

Active multi-contributor project

  • 9 unique contributor(s) across 100 commits in asottile/all-repos
  • Active community — 5 or more distinct contributors

🔬 Heuristic Checks

Outbound Network Calls score 7.5

Found 5 network call pattern(s)

  • Any) -> Response: resp = urllib.request.urlopen(urllib.request.Request(url, **kwargs)) obj = jso
  • resp = urllib.request.urlopen(urllib.request.Request(url, **kwargs)) obj = json.load(resp) return
  • resp = urllib.request.urlopen(urllib.request.Request(url, **kwargs)) obj = json.load(resp) next_i
  • Any) -> Response: resp = urllib.request.urlopen(urllib.request.Request(url, **kwargs)) return Re
  • resp = urllib.request.urlopen(urllib.request.Request(url, **kwargs)) return Response(json.load(resp),
Code Obfuscation score 6.0

Found 3 obfuscation pattern(s)

  • tr) -> None: try: __import__(module) except ImportError: raise SystemExit(
  • dir) source_module: Any = __import__(contents['source'], fromlist=['__trash']) source_settings = source_module.Settings(**contents['so
  • ngs']) push_module: Any = __import__(contents['push'], fromlist=['__trash']) push_settings = push_module.Settings(**contents['push_s
Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • yet supported {service}' subprocess.check_call(('git', 'init', '-q', path)) url = f'https://github.com/
  • ttps://github.com/{repo}' subprocess.check_call(('git', 'remote', 'add', 'origin', url), cwd=path) fetch
  • rigin', 'HEAD', '--tags') subprocess.check_call(fetch, cwd=path) @functools.cache def _latest_tag(service:
  • '--abbrev=0') return subprocess.check_output(cmd, cwd=tmpdir).strip().decode() def find_repos(config: C
  • ult('check', True) return subprocess.run(cmd, **kwargs) def assert_importable(module: str, *, insta
  • -symbolic', '@{u}') out = subprocess.check_output(cmd).strip().decode() assert out.startswith('origin/')
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: umich.edu

Suspicious Page Links score 2.0

Found 1 suspicious link(s) on the package page

  • Non-HTTPS external link: http://gitolite.com/gitolite/index.html
Git Repository History

Repository asottile/all-repos appears legitimate

Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "Anthony Sottile" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with all-repos 
Create a Python-based command-line utility named 'RepoManager' that leverages the 'all-repos' package to automate the process of cloning all repositories from a specified GitHub account and applying a series of predefined changes across them. This utility will streamline the task of maintaining multiple repositories by allowing users to perform bulk operations such as updating README files, renaming branches, or modifying specific file contents.

Step 1: Setup
- Install necessary packages including 'all-repos' and any other dependencies required for interacting with GitHub.
- Authenticate the user with their GitHub credentials.

Step 2: Repository Cloning
- Use 'all-repos' to clone all repositories associated with the authenticated user's GitHub account.
- Ensure the utility can handle different repository types and sizes efficiently.

Step 3: Apply Changes
- Implement a feature to update README.md files with a standard template provided by the user.
- Allow renaming of default branches from 'master' to 'main'.
- Provide functionality to replace placeholders within specific files with user-defined content.

Step 4: Push Changes
- After applying changes locally, push these updates back to the respective repositories.
- Handle conflicts and errors gracefully, providing clear feedback to the user.

Suggested Features:
- Support for filtering repositories based on criteria like language, creation date, or visibility.
- Integration with Git hooks for automating post-commit tasks.
- Logging and reporting functionalities to track changes made.
- User-friendly command-line interface with help documentation.

The 'all-repos' package is crucial for efficiently cloning repositories and managing them in bulk, enabling the utility to focus on implementing the change-making logic rather than the repetitive cloning process.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!