anolis-workbench

v0.11.7 suspicious
6.0
Medium Risk

Anolis commissioning workbench with handoff export tooling.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits moderate risks, particularly concerning shell execution and network interactions, which require further scrutiny to rule out potential supply-chain threats.

  • High shell risk due to subprocess.run usage
  • Potential unauthorized data transmission via network calls
Per-check LLM notes
  • Network: The network calls may be part of normal package functionality but warrant closer inspection to ensure they are not being used for unauthorized data transmission.
  • Shell: Use of subprocess.run for executing commands suggests potential execution of arbitrary code, which could indicate the presence of a backdoor or unintended behavior.
  • Obfuscation: No obfuscation patterns detected.
  • Credentials: The code accesses GITHUB_TOKEN from environment variables, which may indicate legitimate usage for authentication purposes but also poses a risk if not properly secured.
  • Metadata: The package shows signs of low maintainer activity and poor metadata quality, but there are no clear indicators of malicious intent.

📦 Package Quality Overall: Low (4.4/10)

✦ High Test Suite 9.0

Test suite present — 21 test file(s) found

  • Test runner config found: pyproject.toml
  • 21 test file(s) detected (e.g. test_templates.py)
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (3022 chars)
○ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 348 type-annotated function signatures detected in source
○ Low Multiple Contributors 1.0

Unable to verify contributor count: no GitHub repository found

  • No GitHub repository linked — contributor count unavailable

🔬 Heuristic Checks

Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • aders[key] = value req = urllib.request.Request(target_url, data=body, headers=headers, method=metho
  • m: response_ctx = urllib.request.urlopen(req) else: response_ctx = urllib
  • e: response_ctx = urllib.request.urlopen(req, timeout=15) with response_ctx as respo
  • plication/json" request = urllib.request.Request( f"{base_url}{path}", data=payload,
  • , ) try: with urllib.request.urlopen(request, timeout=timeout_s) as response:
  • lication/json" request = urllib.request.Request( f"{base_url}{path}", data=payload,
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • rkbench", ] result = subprocess.run(pip_args, capture_output=True, timeout=300) if result.re
  • udo else cmd result = subprocess.run(full_cmd, input=input, capture_output=True, timeout=30)
  • remote_cmd)] result = subprocess.run( ssh_cmd, input=input, c
  • ote(path)}"] result = subprocess.run(ssh_cmd, input=data, capture_output=True, timeout=60)
  • d"} try: result = subprocess.run( [str(exe), "--check-config", str(yaml_path)],
  • , runtime_config] proc = subprocess.Popen( cmd, stdout=subprocess.PIPE, stderr
Credential Harvesting score 10.0

Found 5 credential access pattern(s)

  • return 1 token = os.environ.get("GITHUB_TOKEN") print("Anolis Provision — Install") print(f" Pr
  • ch_map[args.arch] token = os.environ.get("GITHUB_TOKEN") print("Anolis Provision — Bundle") print(f" Pro
  • return 1 token = os.environ.get("GITHUB_TOKEN") session_id = uuid.uuid4().hex[:12] print("Anolis
  • ost.split("@", 1) token = os.environ.get("GITHUB_TOKEN") executor = SubprocessSSHExecutor( host=host,
  • s token = github_token or os.environ.get("GITHUB_TOKEN") session = requests.Session() tarballs: list[tuple
Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 6.0

3 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with anolis-workbench 
Create a mini-application called 'AnolisCommissioner' that leverages the 'anolis-workbench' package to streamline the commissioning process for Anolis systems. This application should include the following functionalities:

1. User Authentication: Implement basic user authentication to ensure only authorized personnel can access the commissioning tools.
2. System Inventory: Allow users to input and manage a list of Anolis systems they are responsible for commissioning. Each system entry should include details such as serial number, location, and status.
3. Commissioning Tasks: Provide a feature where users can document the commissioning tasks performed on each system. These tasks should be categorized into predefined steps such as 'Initial Setup', 'Configuration', 'Testing', etc.
4. Handoff Export: Utilize the 'anolis-workbench' package's handoff export tooling to generate comprehensive reports for each system after commissioning is complete. These reports should include all documented tasks, any issues encountered, and final system status.
5. Dashboard: Develop a dashboard that provides an overview of all systems, highlighting those that require attention based on their current status.
6. Notifications: Integrate a notification system that alerts users when a system requires immediate attention or when a commissioning task is due.

For each feature, detail how you will utilize the 'anolis-workbench' package to achieve the desired functionality, especially focusing on how the handoff export tooling is integrated into the workflow.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!