AI Analysis
Final verdict: SUSPICIOUS
The package exhibits moderate risks due to potential obfuscation and credential misuse, raising concerns about its integrity and security practices.
- High obfuscation risk
- Potential misuse of GITHUB_TOKEN
Per-check LLM notes
- Obfuscation: The presence of base64 decoding suggests potential obfuscation, which may hide malicious code or data.
- Credentials: The use of GITHUB_TOKEN indicates possible unauthorized access to GitHub resources if not properly secured.
- Metadata: The package shows low engagement and poor metadata quality, but there are no clear signs of malicious intent.
Package Quality Overall: Low (4.6/10)
✦ High
Test Suite
9.0
Test suite present — 1 test file(s) found
Test runner config found: pyproject.toml1 test file(s) detected (e.g. test_auditors.py)
◈ Medium
Documentation
5.0
Some documentation present
Detailed PyPI description (3740 chars)
○ Low
Contributing Guide
2.0
No contributing guide or governance files found
No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium
Type Annotations
5.0
Partial type annotation coverage
11 type-annotated function signatures detected in source
○ Low
Multiple Contributors
2.0
Single-author or unverifiable project
1 unique contributor(s) across 15 commits in nometria/app-auditorSingle author with few commits — possibly a personal or throwaway project
Heuristic Checks
Outbound Network Calls
score 7.5
Found 5 network call pattern(s)
ees/HEAD?recursive=1" r = requests.get(url, headers=_github_headers(), timeout=GITHUB_TIMEOUT)repos/{owner}/{repo}" r = requests.get(url, headers=_github_headers(), timeout=GITHUB_TIMEOUT)owner}/{repo}/readme" r = requests.get(url, headers={**_github_headers(), "Accept": "application/vnepo}/contents/{path}" r = requests.get(url, headers=_github_headers(), timeout=GITHUB_TIMEOUT)""" try: r = requests.get( url, timeout=REQUEST_TIMEOUT,
Code Obfuscation
score 2.0
Found 1 obfuscation pattern(s)
) == "base64": return base64.b64decode(data.get("content", "")).decode("utf-8", errors="ignore")
Shell / Subprocess Execution
No shell execution patterns detected
Credential Harvesting
score 2.5
Found 1 credential access pattern(s)
rn GITHUB_HEADERS token = os.getenv("GITHUB_TOKEN") h = {"Accept": "application/vnd.github+json"} if
Typosquatting
No typosquatting candidates detected
Registered Email Domain
No author email provided
Suspicious Page Links
All external links appear legitimate
Git Repository History
Repository nometria/app-auditor appears legitimate
Maintainer History
score 6.0
3 maintainer concern(s) found
Author name is missing or very shortAuthor "" appears to have only 1 package on PyPI (new or inactive account)Package has no PyPI classifiers (low effort / metadata quality)
Known CVE Vulnerabilities
No known vulnerabilities found in OSV database.
AI App Starter Prompt
Use this prompt to build a project with app-auditor
Create a Python-based web application called 'TechStackAnalyzer' that leverages the 'app-auditor' package to analyze the technical stack and identify potential production-readiness issues of any given website or GitHub repository. The application should provide users with a user-friendly interface where they can input either a live URL or a GitHub repository link. Upon submission, the application will utilize the 'app-auditor' package to perform a comprehensive analysis. The results should include a detailed report highlighting the detected technologies, security vulnerabilities, performance issues, and any other relevant information that could affect the production readiness of the analyzed site or repository. Additionally, the application should offer suggestions on how to mitigate identified risks and improve overall stability and security. Consider integrating a feature that allows users to save their reports for future reference and another that enables them to share their findings via email or social media platforms.
💬 Discussion Feed
No discussion yet. Be the first to share your thoughts!
Report Abuse / Security Issue