ast-bro

v2.4.3 suspicious
6.0
Medium Risk

Fast, AST-based code-navigation: shape, public API, deps & call graphs, hybrid semantic search, structural rewrite, and log squeezing. MCP server included.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits high risks due to its ability to execute shell commands based on user input, which can lead to arbitrary code execution. Additionally, it has a moderate risk of downloading external resources, though the metadata and obfuscation risks are lower.

  • High shell risk due to execution of user-provided commands
  • Moderate network risk indicating potential for downloading external resources
Per-check LLM notes
  • Network: The network call pattern suggests the package may download external resources, which could be legitimate but also indicates potential for downloading malicious content.
  • Shell: Executing shell commands based on user input is highly risky and can lead to arbitrary code execution, indicating a significant security concern.
  • Obfuscation: No obfuscation patterns detected, indicating low risk of code being intentionally obscured.
  • Credentials: No credential harvesting patterns detected, suggesting no risk of secret or sensitive information being stolen.
  • Metadata: The maintainer's author name is missing and the account seems new or inactive, raising some concerns but not definitive signs of malice.

📦 Package Quality Overall: Low (4.2/10)

○ Low Test Suite 1.0

No test suite detected

  • No test files or test-runner configuration detected
◈ Medium Documentation 7.0

Some documentation present

  • Documentation URL: "Documentation" -> https://github.com/aeroxy/ast-bro#readme
  • Detailed PyPI description (3777 chars)
○ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
○ Low Type Annotations 1.0

No type annotations detected

  • No type annotations, py.typed marker, or stub files detected
✦ High Multiple Contributors 8.0

Active multi-contributor project

  • 4 unique contributor(s) across 100 commits in aeroxy/ast-bro
  • Small but multi-author team (3–4 contributors)

🔬 Heuristic Checks

Outbound Network Calls score 1.5

Found 1 network call pattern(s)

  • r / f"archive{ext}" with httpx.Client(follow_redirects=True) as client: resp = client.get(
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 2.0

Found 1 shell execution pattern(s)

  • s = sys.argv[1:] result = subprocess.run([str(binary)] + args, cwd=os.getcwd()) sys.exit(result.r
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

Repository aeroxy/ast-bro appears legitimate

Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with ast-bro 
Create a Python-based code analysis tool named 'CodeNavi' using the 'ast-bro' package. This tool should serve as a comprehensive solution for navigating and analyzing Python codebases. The application will include several key functionalities:

1. **Code Shape Analysis**: Utilize 'ast-bro' to analyze the structure of Python files and directories, identifying common patterns and structures within the code.
2. **Public API Documentation**: Automatically generate documentation for public APIs found in the analyzed codebase, highlighting functions, classes, and modules.
3. **Dependency Graphs**: Construct dependency graphs to visualize which modules depend on each other, aiding in understanding the codebase's architecture.
4. **Call Graph Generation**: Generate call graphs to trace function calls throughout the codebase, helping identify potential issues like circular dependencies or complex call chains.
5. **Semantic Search**: Implement a feature that allows users to search for code based on semantic content rather than just keywords, utilizing 'ast-bro's hybrid semantic search capabilities.
6. **Structural Rewriting**: Provide functionality to automatically refactor parts of the codebase based on structural patterns identified by 'ast-bro', simplifying maintenance and improving readability.
7. **Log Squeezing**: Integrate 'ast-bro' to process logs generated during code execution, filtering out noise and focusing on meaningful information.
8. **MCP Server Integration**: Include an MCP server provided by 'ast-bro' to enable real-time collaboration and sharing of code insights among multiple developers.

Your task is to design and implement these features in a modular fashion, ensuring the tool is user-friendly and efficient. Consider building a simple GUI or command-line interface for interacting with 'CodeNavi'. Additionally, document your implementation process, including challenges faced and solutions adopted, to assist future contributors.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!