arcade-mcp

v1.14.3 suspicious
7.0
High Risk

Arcade.dev - Tool Calling platform for Agents

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package shows significant risks in network, shell, credential, and metadata areas, indicating potential misuse or vulnerabilities. While obfuscation risk is lower, the combination of these factors raises concerns about a possible supply-chain attack.

  • High network and shell execution risks
  • Potential credential misuse
  • Suspicious metadata
Per-check LLM notes
  • Network: The network patterns include interactions that could be used for unauthorized external communications, which is unusual and potentially risky.
  • Shell: The shell execution patterns involve spawning processes that can interact with the system, which might indicate attempts to execute arbitrary commands or access sensitive information.
  • Obfuscation: Base64 decoding is commonly used for data serialization and may not indicate malicious intent.
  • Credentials: Direct extraction of environment variables such as tokens suggests potential misuse or insecure handling of secrets.
  • Metadata: Suspicious non-HTTPS link and lack of maintainer history suggest potential risk.

📦 Package Quality Overall: Low (4.8/10)

✦ High Test Suite 9.0

Test suite present — 3 test file(s) found

  • 3 test file(s) detected (e.g. pyproject.toml)
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (6177 chars)
○ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 385 type-annotated function signatures detected in source
○ Low Multiple Contributors 1.0

Unable to verify contributor count: no GitHub repository found

  • No GitHub repository linked — contributor count unavailable

🔬 Heuristic Checks

Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • ta} to url: {url}") with httpx.Client() as client: response = client.post(url, headers=PYL
  • y_html": body_html} with httpx.Client() as client: response = client.patch(url, headers=PY
  • State.CLOSED.value} with httpx.Client() as client: response = client.patch(url, headers=PY
  • /issues/{issue_id}" with httpx.Client() as client: response = client.get(url, headers=PYLO
  • {issue_id}/threads" with httpx.Client() as client: response = client.get(url, headers=PYLO
  • with data: {data}") with httpx.Client() as client: response = client.post(url, headers=PYL
Code Obfuscation score 2.0

Found 1 obfuscation pattern(s)

  • e, exist_ok=True) data = base64.b64decode(content) if binary else content.encode(encoding) create
Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • info"] = startupinfo subprocess.Popen(["rundll32", "url.dll,FileProtocolHandler", url], **popen_kw
  • lable in WSL result = subprocess.run( ["cmd.exe", "/c", "echo", "%USERNAME%"], # noq
  • s_stdio(debug) process = subprocess.Popen( cmd, stdout=stdout_target, stderr=s
  • eation_flags result = subprocess.run(cmd, **run_kwargs) # Exit with the same code as the
  • tform == "win32": subprocess.Popen( cmd, stdin=subprocess.DEVNU
  • ) else: subprocess.Popen( cmd, stdin=subprocess.DEVNU
Credential Harvesting score 2.5

Found 1 credential access pattern(s)

  • Configuration GITHUB_TOKEN = os.getenv("GITHUB_TOKEN") PYLON_API_TOKEN = os.getenv("PYLON_API_TOKEN") PYLON_API_
Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: arcade.dev>

Suspicious Page Links score 2.0

Found 1 suspicious link(s) on the package page

  • Non-HTTPS external link: http://127.0.0.1:8000/docs
Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with arcade-mcp 
Create a fully functional mini-game development platform that leverages the 'arcade-mcp' package to manage game tools and components. Your goal is to develop a simple yet engaging game creation tool where users can easily integrate various arcade-style games using pre-built components and tools provided by the 'arcade-mcp' package. This platform will allow users to create their own unique arcade games by selecting different game elements, such as game modes, characters, and backgrounds, all without needing deep programming knowledge.

Key Features:
- User-friendly interface for selecting game components like game modes, characters, and backgrounds.
- Integration of 'arcade-mcp' to call upon external tools and services necessary for game creation and management.
- Pre-configured templates for popular arcade games (e.g., Pac-Man, Space Invaders).
- Real-time preview of the game as users select different components.
- Ability to save and share custom games created on the platform.

Step-by-Step Guide:
1. Set up a basic web application framework using Python's Flask or Django.
2. Integrate the 'arcade-mcp' package to handle the backend logic for calling game-related tools and services.
3. Design a user interface where users can browse through available game components and drag-and-drop them into their game.
4. Implement a real-time rendering system that updates the game preview based on user selections.
5. Develop a saving mechanism that allows users to store their game configurations locally or remotely.
6. Add functionality to share created games via a URL or download option.
7. Test the platform thoroughly to ensure smooth integration of 'arcade-mcp' functionalities and user-friendly experience.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!