app-classifier

v0.5.3 suspicious
6.0
Medium Risk

Static code analyzer for any repository — classify codebase, extract HTTP routes, detect tech stack, map dependency graph. Multi-language (Python, JS, Java, Go, Ruby, PHP). Zero dependencies. Optional LLM enrichment.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package shows elevated credential risk due to its interaction with potentially sensitive files, and medium network and metadata risks. These factors combined suggest possible malicious intent, though direct evidence of a supply-chain attack is lacking.

  • Elevated credential risk
  • Medium network risk
  • Medium metadata risk
Per-check LLM notes
  • Network: The package makes network calls which could be part of its intended functionality, but further investigation is needed to ensure these calls are secure and not used for unauthorized data transfer.
  • Shell: No shell execution patterns were detected, suggesting there is no immediate risk of shell command execution from the package.
  • Obfuscation: No signs of obfuscation techniques observed.
  • Credentials: The code snippet suggests an attempt to test for or prevent credential harvesting behaviors, but the mention of '../../../../etc/passwd' indicates potential interest in sensitive files which could imply malicious intent.
  • Metadata: The repository is not found and the maintainer has a single package, indicating potential lack of transparency and project history.

📦 Package Quality Overall: Medium (5.2/10)

✦ High Test Suite 9.0

Test suite present — 10 test file(s) found

  • Test runner config found: pyproject.toml
  • 10 test file(s) detected (e.g. test_agent.py)
◈ Medium Documentation 7.0

Some documentation present

  • Detailed PyPI description (8684 chars)
  • Classifier: Documentation
○ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 89 type-annotated function signatures detected in source
○ Low Multiple Contributors 1.0

Could not retrieve contributor data from GitHub

  • GitHub API error: 404

🔬 Heuristic Checks

Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • ers.update(headers) req = urllib.request.Request(url, data=payload, headers=req_headers, method="POST
  • try: with urllib.request.urlopen(req, timeout=timeout) as resp: statu
  • happy_path(): with patch("urllib.request.urlopen") as mock_urlopen: mock_urlopen.return_value
  • one_on_401(): with patch("urllib.request.urlopen") as mock_urlopen: err = urllib.error.HTTPEr
  • turns_none(): with patch("urllib.request.urlopen") as mock_urlopen, \ patch("time.sleep") as
  • n_succeeds(): with patch("urllib.request.urlopen") as mock_urlopen, \ patch("time.sleep"):
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution

No shell execution patterns detected

Credential Harvesting score 5.0

Found 2 credential access pattern(s)

  • """If the LLM tries to read /etc/passwd or `../../foo`, tools must refuse.""" stub = _make_stub
  • nts": {"relpath": "../../../../etc/passwd"}, "reasoning": "trying path traversal"}', '{"actio
Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History score 3.0

Repository not found (deleted or private)

  • Repository not found (deleted or private)
Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "Codefixer contributors" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with app-classifier 
Create a web-based mini-application called 'CodeInsight' that leverages the 'app-classifier' Python package to analyze user-submitted code repositories and provide insightful reports. The application should have the following functionalities:

1. **Repository Upload**: Allow users to upload their code repositories (GitHub/GitLab/Bitbucket URLs or local zip files).
2. **Codebase Classification**: Utilize 'app-classifier' to classify the uploaded codebase into different categories based on the programming languages used.
3. **HTTP Routes Extraction**: For repositories containing web applications, extract all HTTP routes and categorize them by method (GET, POST, etc.).
4. **Tech Stack Detection**: Detect the technology stack used in the repository, including frameworks, libraries, and tools.
5. **Dependency Graph Mapping**: Map out the dependency graph of the repository, showing how different components (modules, packages, etc.) are interconnected.
6. **LLM Enrichment (Optional)**: Optionally integrate an LLM to provide additional insights or explanations about the detected elements.
7. **Report Generation**: Generate a comprehensive report for each analysis, including visual representations (charts, graphs), and make it downloadable in PDF format.
8. **User Interface**: Develop a clean, user-friendly interface using modern web technologies (HTML/CSS/JavaScript) that allows users to interact with the application easily.
9. **Security Measures**: Ensure that the application implements basic security measures such as input validation and sanitization to protect against common web vulnerabilities.

The 'app-classifier' package will be used throughout the process to perform static code analysis. Users should be able to see real-time updates as the analysis progresses, and the final report should include actionable insights that help developers understand and optimize their codebases.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!