AI Analysis
Final verdict: SUSPICIOUS
The package exhibits high risk due to potential credential harvesting activities but has lower risks in other areas such as network and shell usage. The overall risk is elevated, warranting further investigation.
- High credential risk
- No evidence of supply-chain attack
Per-check LLM notes
- Network: The use of httpx for network calls is common and suggests standard HTTP/HTTPS interaction rather than malicious activity.
- Shell: No direct shell execution detected; the code uses subprocess without shell=True, which is safe from command injection attacks.
- Obfuscation: No obfuscation patterns detected.
- Credentials: High risk of credential harvesting as it attempts to access sensitive files like /etc/passwd and /etc/shadow.
Package Quality Overall: Low (4.4/10)
✦ High
Test Suite
9.0
Test suite present — 17 test file(s) found
Test runner config found: conftest.pyTest runner config found: conftest.pyTest runner config found: pyproject.toml17 test file(s) detected (e.g. conftest.py)
◈ Medium
Documentation
5.0
Some documentation present
Detailed PyPI description (5678 chars)
○ Low
Contributing Guide
2.0
No contributing guide or governance files found
No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium
Type Annotations
5.0
Partial type annotation coverage
252 type-annotated function signatures detected in source
○ Low
Multiple Contributors
1.0
Unable to verify contributor count: no GitHub repository found
No GitHub repository linked — contributor count unavailable
Heuristic Checks
Outbound Network Calls
score 6.0
Found 4 network call pattern(s)
_path) self._client = httpx.AsyncClient( transport=self._transport, base_urlt(uds=uds) async with httpx.AsyncClient(transport=transport, base_url="http://localhost") as c:p_client(app): async with httpx.AsyncClient( transport=httpx.ASGITransport(app=app), basblic_settings) async with httpx.AsyncClient( transport=httpx.ASGITransport(app=app), base_url="h
Code Obfuscation
No obfuscation patterns detected
Shell / Subprocess Execution
score 2.0
Found 1 shell execution pattern(s)
create_subprocess_exec (never shell=True) to prevent injection. """ log.info("Running comman
Credential Harvesting
score 10.0
Found 6 credential access pattern(s)
nError): _check_path("/etc/passwd", settings) def test_root_path_blocked(settings: Settingstool("file_delete", {"path": "/etc/passwd", "confirm": True}) async def test_file_delete_not_found(or): _check_log_path("/etc/shadow") def test_log_traversal_blocked() -> None: with pytecheck_log_path("/var/log/../../etc/passwd") async def test_log_read_missing_file(settings: Settingst-dot-slash", "{root}/../../../etc/passwd"), _TraversalCase("absolute-etc", "/etc/passwd"), _raversalCase("absolute-etc", "/etc/passwd"), _TraversalCase("absolute-root", "/"), _Traversal
Typosquatting
No typosquatting candidates detected
Registered Email Domain
No author email provided
Suspicious Page Links
score 4.0
Found 2 suspicious link(s) on the package page
Non-HTTPS external link: http://your-server:8081/`Non-HTTPS external link: http://your-server-ip:8081/mcp
Git Repository History
No GitHub repository linked
No GitHub repository link found
Maintainer History
score 6.0
3 maintainer concern(s) found
Author name is missing or very shortAuthor "" appears to have only 1 package on PyPI (new or inactive account)Package has no PyPI classifiers (low effort / metadata quality)
Known CVE Vulnerabilities
No known vulnerabilities found in OSV database.
AI App Starter Prompt
Use this prompt to build a project with arr-mcp-server
Create a mini-application named 'MediaMaster' that leverages the 'arr-mcp-server' package to manage a user's home media server stack using natural language commands. This application will allow users to interact with their media server via text-based commands, making it easier to add, remove, or search for media files across different media server software like Sonarr, Radarr, or Lidarr. The application should have the following features: 1. **Command Parsing**: Implement a robust command parser that understands natural language instructions related to media management. For example, 'Add a new TV show', 'Remove all movies from 2000', or 'Find me all movies directed by Christopher Nolan'. 2. **Integration with Media Servers**: Utilize 'arr-mcp-server' to communicate with various media server applications (Sonarr, Radarr, Lidarr). Ensure the application can handle multiple instances of these servers and perform actions like adding, removing, or searching media items. 3. **User Interface**: Develop a simple and intuitive CLI interface where users can input their commands. Additionally, consider integrating a basic web interface using Flask for a more interactive experience. 4. **Error Handling and Feedback**: Provide clear feedback to users about the success or failure of their commands. Handle errors gracefully and offer suggestions if a command is misunderstood or incorrectly formatted. 5. **Configuration Management**: Allow users to configure their media server instances within the application. This includes specifying server URLs, API keys, and other necessary settings. 6. **Logging**: Implement logging functionality to track user interactions and system responses. Logs should include timestamps, user commands, and system outputs. To utilize 'arr-mcp-server', your application should establish a connection to the MCP server running on the user's media server stack. Use the provided APIs to send commands and receive responses, which will then be parsed and acted upon by your application. Ensure that the application is modular and scalable, allowing for easy integration of additional media server types or features in the future.
💬 Discussion Feed
No discussion yet. Be the first to share your thoughts!
Report Abuse / Security Issue