autodev-ai

v0.1.0a4 suspicious
8.0
High Risk

AI-driven software factory: CrewAI + Codex CLI + Claude Code CLI with multi-CLI router, A2A roundtable, MCP server, scale-adaptive delivery from brief to release-ready project.

πŸ€– AI Analysis

Final verdict: SUSPICIOUS

The package exhibits several concerning behaviors including potential shell injection risks, code execution capabilities, and suspicious metadata patterns, which collectively raise suspicion about its legitimacy and security.

  • High shell risk due to os.system and subprocess.run usage
  • Significant obfuscation risk with eval() and exec() functions
Per-check LLM notes
  • Network: The network patterns suggest custom handling of HTTP requests which could be used for legitimate purposes but also might indicate unusual behavior requiring further investigation.
  • Shell: The presence of os.system and subprocess.run calls poses significant risks of shell injection and control over system commands, indicating potential vulnerabilities or malicious intent.
  • Obfuscation: The presence of 'eval()' and 'exec()' suggests potential for code injection, indicating high obfuscation risk.
  • Credentials: No clear patterns of credential harvesting detected, but the use of environment variables for tokens needs further investigation.
  • Metadata: Suspicious activity includes rapid commit history, single package maintainer, and non-secure external link.

πŸ“¦ Package Quality Overall: Medium (6.2/10)

✦ High Test Suite 9.0

Test suite present β€” 2 test file(s) found

  • Test runner config found: pyproject.toml
  • 2 test file(s) detected (e.g. pyproject.toml)
β—ˆ Medium Documentation 7.0

Some documentation present

  • Documentation URL: "Documentation" -> https://github.com/merchloubna70-dot/autodev-ai/blob/main/RE
  • Detailed PyPI description (11396 chars)
β—‹ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
β—ˆ Medium Type Annotations 7.0

Partial type annotation coverage

  • Classifier: Typing :: Typed
  • 364 type-annotated function signatures detected in source
β—ˆ Medium Multiple Contributors 6.0

Limited contributor diversity

  • 2 unique contributor(s) across 100 commits in merchloubna70-dot/autodev-ai
  • Two distinct contributors found

πŸ”¬ Heuristic Checks

⚠ Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • rt validation. sock = socket.create_connection( (self.host, self.port), timeout=sel
  • request still flows through ``urllib.request.OpenerDirector.open`` β€” only the connection target (IP)
  • -- class _NoRedirectHandler(urllib.request.HTTPRedirectHandler): """Suppress automatic redirect fol
  • e) class _PinnedHTTPHandler(urllib.request.HTTPHandler): """urllib HTTPHandler that directs connect
  • HTTPConnection], req: urllib.request.Request, **http_conn_args: Any, ) -> Any:
  • ] class _PinnedHTTPSHandler(urllib.request.HTTPSHandler): """urllib HTTPSHandler that directs TLS c
⚠ Code Obfuscation score 6.0

Found 3 obfuscation pattern(s)

  • on", Severity.BLOCKER), ("eval(", False, "injection", "eval() β€” code injection risk",
  • (", False, "injection", "eval() β€” code injection risk", Severity.BLOCKER), ("exec(", F
  • =endpoint, auth_token=__import__("os").environ.get("AUTODEV_A2A_TOKEN"), ) card = transpor
⚠ Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • risk", Severity.MAJOR), ("os.system(", False, "injection", "os.system() β€” shell injection r
  • (", False, "injection", "os.system() β€” shell injection risk", Severity.MAJOR), # Dangerous
  • ).""" try: proc = subprocess.run( cmd, cwd=str(cwd), capt
  • try: proc = subprocess.run( cmd, cwd=str(repo),
  • try: self._proc = subprocess.Popen( argv, stdin=subprocess.PIPE
  • try: proc = subprocess.run( argv, env=os.environ.copy()
βœ“ Credential Harvesting

No credential harvesting patterns detected

βœ“ Typosquatting

No typosquatting candidates detected

βœ“ Registered Email Domain

No author email provided

⚠ Suspicious Page Links score 2.0

Found 1 suspicious link(s) on the package page

  • Non-HTTPS external link: http://127.0.0.1:8421
⚠ Git Repository History score 5.0

Git history flags: Repository has zero stars and zero forks

  • Repository has zero stars and zero forks
  • All 100 commits happened within 24 hours
⚠ Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "Software Factory" appears to have only 1 package on PyPI (new or inactive account)
βœ“ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

πŸ’‘ AI App Starter Prompt

Use this prompt to build a project with autodev-ai 
Create a mini-application called 'AutoDevHelper' that leverages the capabilities of the 'autodev-ai' package to streamline the development process from ideation to deployment. The application should be able to generate code snippets based on user-provided requirements, manage project configurations, and facilitate collaboration among developers through a virtual roundtable feature. Here’s a detailed breakdown of the steps and features:

1. **Project Setup**: Initialize a new project using the 'autodev-ai' package, specifying the project name, type (e.g., web app, command-line tool), and desired programming language.
2. **Requirement Specification**: Allow users to input high-level project requirements (e.g., features, functionalities). Use 'autodev-ai' to interpret these requirements and generate corresponding code snippets.
3. **Code Generation**: Utilize the Codex CLI and Claude Code CLI components within 'autodev-ai' to automatically generate initial code structures and functions based on the specified requirements.
4. **Configuration Management**: Implement a feature that allows users to configure project settings such as database connections, API keys, and environment variables using the MCP server functionality provided by 'autodev-ai'.
5. **Virtual Roundtable Collaboration**: Enable developers to participate in a virtual roundtable discussion about the project using the A2A roundtable feature. This should allow real-time feedback and adjustments to the project's direction.
6. **Deployment Automation**: Integrate 'autodev-ai' to handle the deployment process, scaling from small projects to larger applications. Ensure that the deployment process includes automated testing and continuous integration.
7. **Feedback Loop**: Incorporate a feedback loop where the generated code and project configurations can be reviewed and adjusted based on user feedback and performance metrics.

Utilize the multi-CLI router in 'autodev-ai' to seamlessly switch between different tools and commands needed for each phase of the project lifecycle. The goal is to create a fully-functional mini-app that demonstrates the power of AI-driven software development, making it easier for developers to focus on innovation rather than repetitive tasks.

πŸ’¬ Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!