auto-shell-gpt

v1.12.0 suspicious
6.0
Medium Risk

Shell-GPT 自动安装和配置工具:对接 SiliconFlow API,全程国内镜像,专为教学场景设计

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits some concerning behaviors, including potential unauthorized data transmission and risky shell executions, while showing no signs of obfuscation or credential harvesting. The metadata risk also points towards possible lack of maintainer trustworthiness.

  • High network and shell execution risks
  • Low obfuscation and credential risks
  • Potential supply-chain attack due to combined signals
Per-check LLM notes
  • Network: The network patterns suggest the package is making external HTTP requests, which could be for legitimate purposes like checking updates but may also indicate potential for unauthorized data transmission.
  • Shell: The shell execution patterns involve running external commands and installing packages, which can be part of normal functionality but also pose risks for executing arbitrary code, potentially leading to system compromise.
  • Obfuscation: No obfuscation patterns detected, indicating low risk.
  • Credentials: No credential harvesting patterns detected, indicating low risk.
  • Metadata: The maintainer has a new or inactive account and the repository lacks community engagement.

📦 Package Quality Overall: Low (3.4/10)

○ Low Test Suite 1.0

No test suite detected

  • No test files or test-runner configuration detected
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (1555 chars)
○ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 32 type-annotated function signatures detected in source
○ Low Multiple Contributors 2.0

Single-author or unverifiable project

  • 1 unique contributor(s) across 10 commits in JohnnyChen1113/biotrainee
  • Single author with few commits — possibly a personal or throwaway project

🔬 Heuristic Checks

Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • e = time.time() req = urllib.request.Request(url, method='HEAD') req.add_header('User-Age
  • nt', 'pip/24.0') with urllib.request.urlopen(req, timeout=timeout) as response: elaps
  • t = time.time() req = urllib.request.Request(base + "/", headers=_BROWSER_HEADERS) with u
  • BROWSER_HEADERS) with urllib.request.urlopen(req, timeout=timeout) as resp: if 200 <=
  • pass try: req = urllib.request.Request(url, headers=_BROWSER_HEADERS) with urllib.r
  • BROWSER_HEADERS) with urllib.request.urlopen(req, timeout=timeout) as resp: return re
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • e} 镜像安装 requests...") subprocess.check_call([ sys.executable, "-m", "pip", "install",
  • = time.time() r = subprocess.run( [curl, *_curl_common_args(timeout), "--outp
  • try: r = subprocess.run( [curl, *_curl_common_args(timeout), url],
  • ⠧', '⠇', '⠏']) proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  • bin.exists(): v = subprocess.run([str(python_bin), "--version"], capture_output=True, text=Tr
  • 式初始化。""" try: r = subprocess.run( [python_bin, "-m", "pip", "show", package],
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History score 2.5

Git history flags: Repository has zero stars and zero forks

  • Repository has zero stars and zero forks
Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "卖萌哥" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with auto-shell-gpt 
构建一个名为 'AutoShellSetup' 的小型应用程序,该应用利用 'auto-shell-gpt' 包来自动安装和配置软件开发环境。此应用专为教学目的设计,旨在简化学生在学习编程时的环境搭建过程。

### 应用功能要求:
1. **环境检测与准备**: 用户启动应用后,应用首先检查当前系统环境是否满足安装要求,并提示用户进行必要的准备工作。
2. **软件包安装**: 利用 'auto-shell-gpt' 包中的功能,自动从国内镜像源下载并安装所需的开发软件和库,如Python、Git等。
3. **配置文件生成**: 根据用户选择的不同开发语言或框架(如Python Flask、Node.js Express),自动生成相应的配置文件,包括但不限于虚拟环境设置、数据库连接配置等。
4. **API对接**: 通过对接SiliconFlow API,获取最新的开发工具版本信息,并根据用户需求自动更新已安装的软件。
5. **错误处理与日志记录**: 在安装过程中,对可能出现的各种错误进行捕获,并将详细的错误信息及解决建议记录下来,方便后续查看。
6. **用户界面**: 设计友好的命令行界面或图形界面,让用户能够直观地了解安装进度和状态。

### 使用 'auto-shell-gpt' 包的方式:
- **初始化环境**: 调用 'auto-shell-gpt' 提供的初始化函数,设置必要的环境变量,如国内镜像源地址等。
- **安装依赖**: 利用 'auto-shell-gpt' 的安装模块,指定需要安装的软件列表及其版本号,执行批量安装操作。
- **配置管理**: 使用 'auto-shell-gpt' 的配置模块,生成符合用户需求的配置文件模板,并提供修改和保存的功能。
- **更新机制**: 通过 'auto-shell-gpt' 对接SiliconFlow API,定期检查并提示用户更新已安装的软件至最新版本。

请详细描述如何使用 'auto-shell-gpt' 包实现上述功能,并提供相应的代码示例。

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!