ascript

v1.3.4 suspicious
6.0
Medium Risk

Ascript Developer Library

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits high obfuscation and shell execution risks, which may indicate potential for hiding malicious activities. While there is no clear evidence of credential theft, the network calls and lack of associated metadata raise concerns about its legitimacy.

  • High obfuscation risk due to use of eval and base64 decoding
  • Potential for shell command execution
Per-check LLM notes
  • Network: Network calls include probing and downloading content which could be legitimate but might also indicate unusual behavior.
  • Shell: Shell executions involve task listing and virtual environment management, potentially legitimate but could hide malicious activities like executing arbitrary commands.
  • Obfuscation: The use of eval and base64 decoding without context suggests potential code injection risks.
  • Credentials: No clear signs of credential harvesting detected.
  • Metadata: The package shows signs of being new or from an inactive account with no associated GitHub repository, raising suspicion but not conclusive evidence of malice.

📦 Package Quality Overall: Low (3.4/10)

◈ Medium Test Suite 6.0

Partial test coverage signals detected

  • 1 test file(s) detected (e.g. flot_test.py)
○ Low Documentation 1.0

No documentation detected

  • No documentation URL, doc files, or meaningful description found
○ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 108 type-annotated function signatures detected in source
○ Low Multiple Contributors 1.0

Unable to verify contributor count: no GitHub repository found

  • No GitHub repository linked — contributor count unavailable

🔬 Heuristic Checks

Outbound Network Calls score 6.0

Found 4 network call pattern(s)

  • try: req = urllib.request.Request(url, headers={"User-Agent": "ascript-pip-probe"})
  • nloaded = 0 with urllib.request.urlopen(req, timeout=Pip._PROBE_CONNECT_TIMEOUT) as resp:
  • 5.0'} response = requests.get(url, stream=True, timeout=30, headers=headers)
  • 2 bootstrapper") with requests.get(_WEBVIEW2_BOOTSTRAPPER_URL, stream=True, timeout=120) as res
Code Obfuscation score 8.0

Found 4 obfuscation pattern(s)

  • ",")[1] img_data = base64.b64decode(base64_str) # 为了防止文件名重复,加上时间戳 name, ext
  • ept 或直接解码 raw_path = base64.b64decode(clean_base64).decode('utf-8') # 3. 再次 unquote 物理路
  • eval...") results = eval(selector_str, {"__builtins__": None}, safe_vars)
  • axError) byte_code = compile(python_code, '<js_executed_code>', 'exec') # 2. 执行代码 # 不预设 globals,让 JS 自己 impor
Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • dater.exe"} with os.popen('tasklist /NH /FI "STATUS eq running"') as f:
  • # 执行打包 process = subprocess.Popen( build_cmd, stdout=subprocess.PIPE,
  • = _clean_env() r = subprocess.run( [sys.executable, "-m", "virtualenv", abs_env_d
  • , 让用户能据此自查或截屏反馈。 r = subprocess.run( [venv_python, "-c", "import sys; print(sys.ver
  • ) r = subprocess.run( f'cmd /s /c "{cmd_payload}"',
  • else: r = subprocess.run( pip_args, env=env, capture_output=True, te
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with ascript 
Your task is to develop a simple yet powerful script management tool called 'ScriptMaster' using the Python package 'ascript'. This tool will allow users to write, manage, and execute scripts directly from a user-friendly interface. Here’s a detailed breakdown of what ScriptMaster should do:

1. **Script Writing Interface**: Provide a basic text editor where users can write their scripts. Utilize 'ascript' to validate and provide real-time feedback on the syntax correctness.
2. **Script Execution**: Once a script is written, users should be able to execute it within the same environment. Use 'ascript' to safely run these scripts and capture any output or errors.
3. **Script Management**: Implement features to save, load, and delete scripts. Leverage 'ascript' to ensure that only valid scripts can be saved.
4. **Script Sharing**: Enable users to share their scripts via a unique URL. Use 'ascript' to sanitize and securely share the scripts.
5. **Interactive Help**: Integrate an interactive help system that suggests commands and provides usage examples based on the script content. 'Ascript' can be used here to parse and understand the context of the script.
6. **Version Control**: Allow users to track changes in their scripts over time. Use 'ascript' to compare different versions of the same script and highlight changes.
7. **User Authentication**: Implement basic user authentication to protect personal scripts. Ensure that 'ascript' is used to handle any security checks related to script execution.

For each feature, describe how 'ascript' contributes to the functionality, such as ensuring script safety, providing real-time feedback, and enhancing user experience through intelligent suggestions.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!