athanor-sdk

v0.8.10 suspicious
7.0
High Risk

Multi-agent verification orchestration -- LLMs propose, formal tools prove, every change is machine-checked

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits multiple high-risk indicators including potential credential harvesting and significant obfuscation, suggesting it may have malicious intent. While it does not definitively prove a supply-chain attack, the overall risk is elevated.

  • High credential risk
  • Significant obfuscation
Per-check LLM notes
  • Network: The network calls seem to be interacting with an API endpoint which could be part of the intended functionality but should be reviewed for unauthorized access.
  • Shell: Executing shell commands may be necessary for some functionalities but poses a significant risk if not properly controlled, suggesting potential misuse or unintended behavior.
  • Obfuscation: The code shows signs of obfuscation with unusual patterns and incomplete imports, suggesting potential malicious intent.
  • Credentials: The package checks for AWS credentials in environment variables, which could indicate an attempt to harvest sensitive information.
  • Metadata: The package has no typosquatting or email domain flags, but the repository is not found and the maintainer has only one package, indicating potential newness or inactivity which raises some concern.

📦 Package Quality Overall: Low (4.8/10)

✦ High Test Suite 9.0

Test suite present — 1 test file(s) found

  • Test runner config found: pyproject.toml
  • 1 test file(s) detected (e.g. diff_test.py)
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (8795 chars)
○ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium Type Annotations 7.0

Partial type annotation coverage

  • Type checker (mypy / pyright / pytype) referenced in project
  • 310 type-annotated function signatures detected in source
○ Low Multiple Contributors 1.0

Could not retrieve contributor data from GitHub

  • GitHub API error: 404

🔬 Heuristic Checks

Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • = content_sha req = urllib.request.Request( f"{url}/rest/v1/knowledge_entries?on_co
  • hod="POST", ) urllib.request.urlopen(req, timeout=5) return True except Excep
  • /runner/ghcr-token" req = urllib.request.Request( url, headers={ "Authori
  • ) try: resp = urllib.request.urlopen(req, timeout=30) data = json.loads(resp.read
  • rt urllib.error req = urllib.request.Request(url.rstrip("/") + "/rest/v1/", method="HEAD")
  • AD") try: urllib.request.urlopen(req, timeout=2) except urllib.error.HTTPErro
Code Obfuscation score 8.0

Found 4 obfuscation pattern(s)

  • raints: env to bind into svex-eval (svar name → integer). Models the antecedent of E
  • xtensions.append( __import__("setuptools").Extension( name=ext_name, s
  • eps: try: __import__(module_name) except ImportError: missing.append(pip_
  • ibs: try: __import__(module) except ImportError as e: if "failed to
Shell / Subprocess Execution score 10.0

Found 5 shell execution pattern(s)

  • ) try: proc = subprocess.run( ["lake", "update"], cwd=project,
  • afe}" try: proc = subprocess.run( ["lake", "build", target], cwd=proj
  • False try: res = subprocess.run( [acl2], input=f'(ld "{script_path}"
  • = time.monotonic() proc = subprocess.run( [cert_pl, "--acl2", acl2, book2_stem], cwd=
  • = time.monotonic() proc = subprocess.run( [cert_pl, "--acl2", acl2, book1_stem, book3_stem],
Credential Harvesting score 10.0

Found 6 credential access pattern(s)

  • _KEY"): return if os.environ.get("AWS_ACCESS_KEY_ID") and os.environ.get("AWS_DEFAULT_REGION"):
  • .get("AWS_ACCESS_KEY_ID") and os.environ.get("AWS_DEFAULT_REGION"): return if shutil.which("claude
  • KEY")) has_aws_key = bool(os.environ.get("AWS_ACCESS_KEY_ID")) if env_choice == "bedrock": ba
  • OURCE_ENV: if not os.environ.get("AWS_SECRET_ACCESS_KEY"): return CheckResult(
  • EY") ) has_aws = bool(os.environ.get("AWS_ACCESS_KEY_ID")) if has_aws: region = os.enviro
  • if has_aws: region = os.environ.get( "AWS_BEDROCK_REGION", os.environ.get("AWS_REGION", os
Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History score 3.0

Repository not found (deleted or private)

  • Repository not found (deleted or private)
Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "Athanor AI" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with athanor-sdk 
Create a Python-based mini-application that leverages the 'athanor-sdk' package to streamline the development of secure and verified multi-agent systems. This application will serve as a proof-of-concept for integrating AI-driven proposal generation with formal verification methods, ensuring that every system change is rigorously checked by machine.

Step 1: Define the System
- Choose a simple multi-agent scenario, such as a distributed voting system where agents represent voters and validators.

Step 2: Proposal Generation
- Use 'athanor-sdk' to implement an interface that allows users to input requirements for the system (e.g., rules for voting).
- Integrate an LLM (Language Model) to generate proposals that meet these requirements.

Step 3: Formal Verification
- Implement functionality within your application to automatically send the generated proposals to a formal verification tool integrated via 'athanor-sdk'.
- Ensure the application can interpret and display the results of the verification process, indicating whether the proposed system meets all specified requirements.

Step 4: Machine-Checked Changes
- Add support for users to make modifications to the system post-proposal.
- Utilize 'athanor-sdk' to ensure that any changes are re-verified before being accepted into the system.

Suggested Features:
- User-friendly GUI for inputting requirements and viewing system status.
- Detailed logs of each verification process and its outcome.
- Real-time feedback on proposal validity based on LLM analysis.
- Documentation explaining how 'athanor-sdk' enhances security and reliability in multi-agent systems.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!