🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits high obfuscation risk due to the use of eval() with untrusted input, which can lead to code injection attacks. Additionally, the metadata risk is moderate due to non-HTTPS links and a single-package author, raising concerns about the authenticity and trustworthiness of the package.

High obfuscation risk due to eval() usage.
Moderate metadata risk due to non-HTTPS links and single-package author.

Per-check LLM notes

Network: The use of requests.Session() indicates the package makes network calls, which could be for legitimate purposes like API interactions.
Shell: No shell execution patterns were detected, suggesting no immediate risk from command execution.
Obfuscation: The use of eval() with untrusted input is highly suspicious and poses significant security risks.
Credentials: No clear evidence of credential harvesting patterns detected.
Metadata: Suspicious non-HTTPS links and an author with only one package suggest potential risk.

📦 Package Quality Overall: Low (3.8/10)

◈ Medium Test Suite 6.0

Partial test coverage signals detected

2 test file(s) detected (e.g. Tools.py)

◈ Medium Documentation 5.0

Some documentation present

Detailed PyPI description (17269 chars)

○ Low Contributing Guide 2.0

No contributing guide or governance files found

No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found

◈ Medium Type Annotations 5.0

Partial type annotation coverage

3 type-annotated function signatures (partial)

○ Low Multiple Contributors 1.0

Unable to verify contributor count: no GitHub repository found

No GitHub repository linked — contributor count unavailable

🔬 Heuristic Checks

⚠ Outbound Network Calls score 1.5

Found 1 network call pattern(s)

elf): self.session = requests.Session() def __run_script(self, data): # 执行前后置脚本，可以

⚠ Code Obfuscation score 4.0

Found 2 obfuscation pattern(s)

func_args = eval(f"[{func_args_str}]") except Exception as e:
try: return eval(data_str) except (SyntaxError, NameError, TypeError

✓ Shell / Subprocess Execution

No shell execution patterns detected

✓ Credential Harvesting

No credential harvesting patterns detected

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

Email domain looks legitimate: xiaoh.com

⚠ Suspicious Page Links score 4.0

Found 2 suspicious link(s) on the package page

Non-HTTPS external link: http://121.43.169.97:8081
Non-HTTPS external link: http://...

✓ Git Repository History

No GitHub repository linked

No GitHub repository link found

⚠ Maintainer History score 2.0

1 maintainer concern(s) found

Author "Shawn" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with api-engine-xin

Build a simple Python application using the api-engine-xin package to demonstrate its core features.