Package Metadata

Author: Artem Terenin
Email: —
PyPI: arachna
Python: >=3.11
Versions: 19 releases
First release: 02 Jun 2026, 10:41 UTC
Analysed: 07 Jun 2026, 10:02 UTC
Source files: 34 .py files scanned

Project Links

Classifiers

Intended Audience :: DevelopersLicense :: OSI Approved :: GNU Affero General Public License v3Programming Language :: Python :: 3Programming Language :: Python :: 3.11Programming Language :: Python :: 3.12Programming Language :: Python :: 3.13Programming Language :: Python :: 3.14Topic :: Software Development :: Libraries :: Python ModulesTopic :: Utilities

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits multiple high-risk behaviors including potential shell injection and credential harvesting, indicating a significant security concern.

use of 'shell=True' leading to potential shell injection
accessing sensitive system files like /etc/passwd and /etc/shadow

Per-check LLM notes

Network: The use of urllib for network calls is common but could be indicative of data exfiltration if the URL is not static and controlled.
Shell: Use of 'shell=True' is risky as it can lead to shell injection attacks. This suggests potential for executing arbitrary commands and should be reviewed carefully.
Obfuscation: The use of zlib.decompress suggests an attempt to obscure code logic or data, which is suspicious in the absence of clear documentation or cryptographic context.
Credentials: Accessing system files like '/etc/passwd' and '/etc/shadow' indicates potential attempts to harvest sensitive information, which is highly suspicious.
Metadata: The repository's recent creation and low activity suggest potential risk, but there's no concrete evidence of malicious intent.

📦 Package Quality Overall: Medium (5.2/10)

✦ High Test Suite 9.0

Test suite present — 4 test file(s) found

Test runner config found: pyproject.toml
4 test file(s) detected (e.g. test_api_watch.py)

◈ Medium Documentation 5.0

Some documentation present

Detailed PyPI description (18226 chars)

○ Low Contributing Guide 2.0

No contributing guide or governance files found

No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found

◈ Medium Type Annotations 5.0

Partial type annotation coverage

171 type-annotated function signatures detected in source

◈ Medium Multiple Contributors 5.0

Limited contributor diversity

1 unique contributor(s) across 100 commits in dead-duke/arachna
Single author but highly active (100 commits)

🔬 Heuristic Checks

⚠ Outbound Network Calls score 1.5

Found 1 network call pattern(s)

with contextlib.closing(urllib.request.urlopen(url, timeout=10)) as response: data = js

⚠ Code Obfuscation score 2.0

Found 1 obfuscation pattern(s)

o raw try: data = zlib.decompress(raw) except zlib.error: data = raw # Verify

⚠ Shell / Subprocess Execution score 10.0

Found 5 shell execution pattern(s)

s_shell: result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
eturn "" result = subprocess.run(args, capture_output=True, text=True, timeout=30) _l
l metacharacters that require shell=True _SHELL_CHARS = {"|", "&", ";", "<", ">", "$", "`", "(", ")"
no shell injection). Uses shell=True for commands with shell metacharacters (|, ||, &&, etc).
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30) else:

⚠ Credential Harvesting score 5.0

Found 2 credential access pattern(s)

:|:& };:", # fork bomb "/etc/passwd", "/etc/shadow", ] def _resolve_base(cmd_part: str) -
bomb "/etc/passwd", "/etc/shadow", ] def _resolve_base(cmd_part: str) -> str: """Extra

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

No author email provided

✓ Suspicious Page Links

All external links appear legitimate

⚠ Git Repository History score 5.0

Git history flags: Repository created very recently: 7 day(s) ago (2026-05-31T10:56:48Z)

Repository created very recently: 7 day(s) ago (2026-05-31T10:56:48Z)
Repository has zero stars and zero forks

⚠ Maintainer History score 2.0

1 maintainer concern(s) found

Author "Artem Terenin" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with arachna

Create a mini-application called 'CodeSummarizer' that leverages the 'arachna' Python package to summarize code projects into digestible chunks for AI analysis. The application should accept a directory path as input, which contains various source code files of a software project. Using 'arachna', the app will gather these files, break them down into contextually relevant chunks that fit within a specified token limit (e.g., 1024 tokens), and then provide summaries of each chunk. These summaries should highlight key components such as function definitions, variable declarations, and any comments that might provide additional context about the code's purpose or functionality. Additionally, implement a feature that allows users to query specific parts of the summarized content based on keywords or file names. Ensure the application includes a user-friendly interface where users can easily navigate through the summaries and queries. Use 'arachna' effectively to maintain the contextual integrity of the code snippets while ensuring they remain within the token constraints suitable for AI processing.