Package Metadata

Author: Satoshi Ltd.
Email: —
PyPI: alpi-agent
Python: <3.14,>=3.10
Versions: 129 releases
First release: 26 Apr 2026, 03:54 UTC
Analysed: 07 Jun 2026, 00:37 UTC
Source files: 66 .py files scanned

Project Links

Classifiers

Development Status :: 4 - BetaEnvironment :: ConsoleIntended Audience :: DevelopersIntended Audience :: End Users/DesktopOperating System :: MacOS :: MacOS XOperating System :: POSIX :: LinuxProgramming Language :: Python :: 3Programming Language :: Python :: 3.10Programming Language :: Python :: 3.11Programming Language :: Python :: 3.12

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits high risks related to network and shell activities, suggesting potential unauthorized external communications and arbitrary command execution. While there's no direct evidence of credential harvesting or malicious intent, the combination of these risks raises concerns about a possible supply-chain attack.

High network risk due to potential C2 activity
High shell risk indicating capability for system-level control

Per-check LLM notes

Network: The observed network patterns indicate potential unauthorized external communications, especially given the use of tokens and bot commands which could be indicative of C2 activity.
Shell: The shell execution patterns suggest the package may execute arbitrary commands, potentially allowing for system-level control and manipulation, which is highly suspicious.
Obfuscation: The code uses Base64 decoding for various operations, which is common in cryptographic libraries but may indicate obfuscation if used to hide logic.
Credentials: No clear patterns of credential harvesting are detected.
Metadata: The maintainer has only one package, which may indicate a new or less active account, raising some suspicion but not conclusive evidence of malice.

📦 Package Quality Overall: Medium (5.0/10)

◈ Medium Test Suite 6.0

Partial test coverage signals detected

Test runner config found: pyproject.toml

◈ Medium Documentation 5.0

Some documentation present

Detailed PyPI description (10002 chars)

○ Low Contributing Guide 4.0

No contributing guide or governance files found

Development Status classifier >= Beta

◈ Medium Type Annotations 5.0

Partial type annotation coverage

686 type-annotated function signatures detected in source

◈ Medium Multiple Contributors 5.0

Limited contributor diversity

1 unique contributor(s) across 100 commits in satoshi-ltd/alpi
Single author but highly active (100 commits)

🔬 Heuristic Checks

⚠ Outbound Network Calls score 9.0

Found 6 network call pattern(s)

ot{token}/getMe" with urllib.request.urlopen(url, timeout=5.0) as resp: body = _json.
ram.org/bot{token}" with httpx.Client(timeout=60) as client: if attachment: fr
OST_URL configured") with httpx.Client(timeout=30) as client: resp = client.post(url, json=
token(self.home) with httpx.Client(timeout=10.0) as client: r = client.get(
dded", } with httpx.Client(timeout=15.0) as client: r = client.get(
self.home) async with httpx.AsyncClient(timeout=60) as client: while True:

⚠ Code Obfuscation score 10.0

Found 6 obfuscation pattern(s)

s off by {delta}") sig = base64.b64decode(alp["sig"]) payload = _canonical_bytes(_stripped_for_sig
peer envelopes.""" raw = base64.b64decode(b64.strip()) return Ed25519PublicKey.from_public_bytes(r
bool: try: raw = base64.b64decode(pubkey_b64, validate=True) except Exception: # noqa: BL
byte group key.""" blob = base64.b64decode(sealed_b64) if len(blob) < 32 + 12 + 16: raise V
4: str) -> bytes: nonce = base64.b64decode(nonce_b64) ct = base64.b64decode(ciphertext_b64) ret
b64decode(nonce_b64) ct = base64.b64decode(ciphertext_b64) return ChaCha20Poly1305(group_key).decry

⚠ Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

try: p = subprocess.Popen(cmd, stdin=subprocess.PIPE) p.communicate(text.e
list[str]) -> str: res = subprocess.run(cmd, capture_output=True, text=True, check=True) return
l.which("alpi") or "alpi" subprocess.Popen( [alpi_bin, "daemon", "start"], stdin=subpro
uid = os.getuid() subprocess.run( ["launchctl", "kickstart", "-k", f"gui/{uid}/co
.startswith("linux"): subprocess.run( ["systemctl", "--user", "start", "alpi-daemon.s
d: return subprocess.run( [sys.executable, "-m", "playwright", "install",

✓ Credential Harvesting

No credential harvesting patterns detected

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

No author email provided

✓ Suspicious Page Links

All external links appear legitimate

✓ Git Repository History

Repository satoshi-ltd/alpi appears legitimate

⚠ Maintainer History score 2.0

1 maintainer concern(s) found

Author "Satoshi Ltd." appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with alpi-agent

Create a fully-functional mini-application called 'AlpiChat' that leverages the 'alpi-agent' package to provide personalized assistance through a command-line interface (CLI). AlpiChat should serve as a versatile tool for users to interact with their personal AI agents directly from their terminal, allowing them to perform tasks such as scheduling reminders, fetching weather updates, setting alarms, and more. Additionally, AlpiChat should support integration with popular messaging platforms like Slack and Discord for real-time notifications and interactions.

Key Features:
1. User Profile Management: Allow users to create, edit, and manage their profiles, including preferences and settings for their personal AI agent.
2. Command Execution: Implement a robust command parser that understands natural language inputs and executes corresponding actions based on the user's profile and preferences.
3. Integration with Messaging Platforms: Enable AlpiChat to send and receive messages from Slack and Discord, acting as a bridge between the user's terminal and their preferred communication channels.
4. Real-Time Notifications: Configure AlpiChat to send push notifications to the user's terminal or connected messaging platforms based on events such as new emails, calendar invites, or system alerts.
5. Custom Commands: Provide users with the ability to define custom commands tailored to their specific needs, enhancing the functionality of their personal AI agent.

Utilization of 'alpi-agent':
- Use 'alpi-agent' to initialize and manage the personal AI agent within AlpiChat, ensuring it operates seamlessly across different environments and platforms.
- Leverage 'alpi-agent' for profile-based personalization, enabling the AI agent to adapt its responses and actions based on the user's unique settings and preferences.
- Integrate 'alpi-agent' with the command execution feature to process natural language inputs and generate appropriate outputs or actions.
- Employ 'alpi-agent' to facilitate seamless integration with messaging platforms, ensuring reliable and efficient communication between the user's terminal and external services.