Package Metadata

Author: —
Email: Habib Hussain <[email protected]>
PyPI: alnur
Python: >=3.9
Versions: 3 releases
First release: 15 May 2026, 19:34 UTC
Analysed: 07 Jun 2026, 00:07 UTC
Source files: 18 .py files scanned

Project Links

Classifiers

Development Status :: 4 - BetaEnvironment :: ConsoleIntended Audience :: DevelopersIntended Audience :: Information TechnologyLicense :: OSI Approved :: MIT LicenseOperating System :: OS IndependentProgramming Language :: Python :: 3Programming Language :: Python :: 3.10Programming Language :: Python :: 3.11Programming Language :: Python :: 3.12

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits significant risks related to shell and obfuscation usage, which could lead to severe vulnerabilities like command injection and remote code execution. While not definitive proof of malicious intent, these factors combined with credential and metadata risks warrant caution.

High shell risk due to os.system() and subprocess with shell=True
Severe obfuscation risk due to eval() with user-controlled data

Per-check LLM notes

Network: The network call pattern suggests the package may be communicating with an external service, which could be legitimate but requires further investigation into its purpose.
Shell: The use of os.system() and subprocess with shell=True indicates potential for command injection vulnerabilities, suggesting a higher risk that needs addressing to prevent possible exploitation.
Obfuscation: The presence of 'eval()' with user-controlled data suggests potential for malicious obfuscation and remote code execution.
Credentials: Reading sensitive files such as /etc/passwd, .env, and private keys indicates a high risk of credential harvesting.
Metadata: The maintainer has a new or inactive account and lacks a proper author name, raising some suspicion.

📦 Package Quality Overall: Low (4.2/10)

○ Low Test Suite 1.0

No test suite detected

No test files or test-runner configuration detected

◈ Medium Documentation 5.0

Some documentation present

Detailed PyPI description (6961 chars)

○ Low Contributing Guide 4.0

No contributing guide or governance files found

Development Status classifier >= Beta

◈ Medium Type Annotations 5.0

Partial type annotation coverage

113 type-annotated function signatures detected in source

◈ Medium Multiple Contributors 6.0

Limited contributor diversity

2 unique contributor(s) across 9 commits in Threads-Beams/ALNUR
Two distinct contributors found

🔬 Heuristic Checks

⚠ Outbound Network Calls score 1.5

Found 1 network call pattern(s)

try: resp = requests.post( _OSV_BATCH_URL, json=payloa

⚠ Code Obfuscation score 8.0

Found 4 obfuscation pattern(s)

s|body|query|argv)", "eval() called with user-controlled data — remote code execution r
"Never pass user input to eval(). Use safe alternatives like ast.literal_eval()", (
COOKIE|SERVER)", "PHP eval() with user input — direct remote code execution", "
e execution", "Remove eval() with user input entirely; redesign the logic", ("*

⚠ Shell / Subprocess Execution score 8.0

Found 4 shell execution pattern(s)

"Possible command injection: os.system() with user-controlled input", # alnur: ignore "Use
a list of arguments and avoid shell=True", ("*.py",), "CWE-78", ), _rule( "I
"subprocess called with shell=True — enables shell injection", "Pass command as a list
command as a list and remove shell=True unless absolutely required", ("*.py",), "CWE-78",

⚠ Credential Harvesting score 2.5

Found 1 credential access pattern(s)

y", _PY, "Agent reads /etc/passwd, .env, private keys, or other sensitive files", ),

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

Email domain looks legitimate: threadsandbeams.com>

⚠ Suspicious Page Links score 2.0

Found 1 suspicious link(s) on the package page

Non-HTTPS external link: http://...

✓ Git Repository History

Repository Threads-Beams/ALNUR appears legitimate

⚠ Maintainer History score 4.0

2 maintainer concern(s) found

Author name is missing or very short
Author "" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with alnur

Create a mini-application called 'VulnerabilityScanner' using Python that leverages the 'alnur' package to identify potential security vulnerabilities in web applications. This tool should allow users to input URLs of websites they want to scan for common vulnerabilities such as SQL injection, cross-site scripting (XSS), and open redirect attacks. Additionally, the application should generate a report detailing the vulnerabilities found along with severity levels and recommended actions to mitigate these risks.

Steps to develop the application:
1. Set up the environment with Python and install necessary packages including 'alnur'.
2. Design a user-friendly command-line interface where users can enter URLs and select the type of scan they wish to perform.
3. Implement functionality within 'VulnerabilityScanner' that uses 'alnur' to analyze the provided URL and detect any known vulnerabilities.
4. Create a feature to categorize detected vulnerabilities based on their severity (low, medium, high).
5. Develop a reporting system that compiles findings into a human-readable format, outlining each issue, its severity, and suggestions for remediation.
6. Ensure the application includes error handling for invalid inputs and network issues.
7. Test the application thoroughly against various test cases to ensure accuracy and reliability.
8. Document the code and provide usage instructions for other developers or security professionals.

💬 Discussion Feed

No discussion yet. Be the first to share your thoughts!

🤖 AI Analysis

📦 Package Quality Overall: Low (4.2/10)

🔬 Heuristic Checks

💡 AI App Starter Prompt

💬 Discussion Feed

Leave a comment

Report Abuse / Security Issue