🤖 AI Analysis

Final verdict: SUSPICIOUS

The package shows signs of obfuscation and credential harvesting attempts, indicating potential malicious intent. However, the incomplete maintainer profile does not conclusively prove malice.

High obfuscation risk due to regex patterns and unsafe use of pickle
High credential risk due to checking for AWS environment variables

Per-check LLM notes

Obfuscation: The use of regex patterns to match potential command execution functions and the presence of `pickle.loads()` with untrusted data suggest an attempt to obfuscate or hide potentially harmful code.
Credentials: The package checks for AWS environment variables which could indicate an attempt to harvest AWS credentials or detect if it's running in an AWS environment.
Metadata: The maintainer has an incomplete profile and seems to be new or inactive, raising some suspicion but not definitive evidence of malice.

📦 Package Quality Overall: Medium (6.0/10)

◈ Medium Test Suite 6.0

Partial test coverage signals detected

Test runner config found: pyproject.toml

◈ Medium Documentation 7.0

Some documentation present

Documentation URL: "Documentation" -> https://github.com/getarcis/arcis/wiki
Detailed PyPI description (14523 chars)

○ Low Contributing Guide 4.0

No contributing guide or governance files found

Development Status classifier >= Beta

◈ Medium Type Annotations 5.0

Partial type annotation coverage

265 type-annotated function signatures detected in source

✦ High Multiple Contributors 8.0

Active multi-contributor project

3 unique contributor(s) across 100 commits in getarcis/arcis
Small but multi-author team (3–4 contributors)

🔬 Heuristic Checks

⚠ Outbound Network Calls score 6.0

Found 4 network call pattern(s)

rror on non-2xx.""" req = urllib.request.Request(endpoint, data=body, headers=headers, method="POST")
"POST") try: with urllib.request.urlopen(req, timeout=timeout) as resp: if resp.s
rt httpx is not None with httpx.Client(timeout=timeout) as client: resp = client.post(endpo
px is not None async with httpx.AsyncClient(timeout=timeout) as client: resp = await client.post

⚠ Code Obfuscation score 4.0

Found 2 obfuscation pattern(s)

-tool-name-spoof", re.compile( r'"name"\s*:\s*"(?:exec|shell|run_command|system|bash|cmd|python|eval|read_file|wri
5`` at position 0. Reaching ``pickle.loads()`` on this with untrusted data = RCE. * **Java FastJSON*

⚠ Shell / Subprocess Execution score 6.0

Found 3 shell execution pattern(s)

try: result = subprocess.run( [npm_exe, "config", "get", "prefix"],
try: result = subprocess.run([real_cli, *args]) return result.returncode if r
try: result = subprocess.run( [real_cli, "--version"],

⚠ Credential Harvesting score 5.0

Found 2 credential access pattern(s)

return 'firebase' if os.environ.get('AWS_EXECUTION_ENV') or os.environ.get('AWS_LAMBDA_FUNCTION_NAME'
n.get('AWS_EXECUTION_ENV') or os.environ.get('AWS_LAMBDA_FUNCTION_NAME'): return 'aws-alb' return

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

Email domain looks legitimate: users.noreply.github.com>

✓ Suspicious Page Links

All external links appear legitimate

✓ Git Repository History

Repository getarcis/arcis appears legitimate

⚠ Maintainer History score 4.0

2 maintainer concern(s) found

Author name is missing or very short
Author "" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with arcis

Develop a web-based task management application using FastAPI that integrates the 'arcis' security middleware package. This application will allow users to create tasks, assign them to other users, mark tasks as completed, and delete tasks. Additionally, the app will include robust security measures to protect against common web vulnerabilities such as XSS, SQL injection, and CSRF attacks. Here’s a step-by-step guide on how to build this application:

1. **Setup Project Environment**
- Initialize a new Python virtual environment.
- Install FastAPI, Uvicorn, and the 'arcis' package.

2. **Design the Database Schema**
- Define models for Users and Tasks. Each user can have multiple tasks assigned to them.

3. **Implement User Authentication**
- Create endpoints for user registration and login using JWT tokens.

4. **Create Task Management Endpoints**
- Implement CRUD operations for tasks including creation, reading, updating, and deletion.

5. **Integrate Arcis Security Middleware**
- Use 'arcis' to sanitize all inputs from forms and APIs to prevent XSS, SQL injection, and other common vulnerabilities.
- Implement CSRF protection for form submissions.
- Validate URLs provided by users to prevent SSRF attacks.

6. **Enhance Security with Advanced Features**
- Utilize the 'arcis' package's opt-in helpers for bot detection, prompt injection signatures, and LLM token budget management.
- Enable per-IP correlation windows to detect suspicious activities.

7. **Testing and Deployment**
- Write tests for your application to ensure it functions correctly and securely.
- Deploy the application to a cloud platform of your choice, ensuring it runs behind a secure firewall.

8. **Documentation**
- Provide comprehensive documentation on how to use the application, including setup instructions and API documentation.

By following these steps, you'll create a secure and functional task management application that leverages the powerful security features of the 'arcis' package.