automated-sing-box-generator

v0.3.17 suspicious
6.0
Medium Risk

Sing-box + Cloudflare WARP 一键自动部署工具

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package has moderate risks due to potential insecure JSON handling and unsanitized subprocess calls. While there is no evidence of malicious intent, the sparse maintainer information and low engagement level raise concerns about its legitimacy.

  • Unsecured JSON handling could expose sensitive information.
  • Subprocess calls for network and certificate operations are not properly sanitized.
Per-check LLM notes
  • Network: The network calls to GitHub API seem legitimate for checking updates, but unsecured JSON handling could expose sensitive information.
  • Shell: Subprocess calls for network and certificate operations are unusual and might indicate execution of user-defined commands or system checks, which could pose risks if not properly sanitized.
  • Obfuscation: No obfuscation patterns detected in the provided code snippets.
  • Credentials: The presence of getpass and input functions suggests potential handling of sensitive inputs, but it's likely for user interaction rather than credential harvesting.
  • Metadata: The maintainer information is sparse, and the repository's lack of engagement raises suspicion.

📦 Package Quality Overall: Low (3.6/10)

○ Low Test Suite 1.0

No test suite detected

  • No test files or test-runner configuration detected
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (5411 chars)
○ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 8 type-annotated function signatures (partial)
◈ Medium Multiple Contributors 5.0

Limited contributor diversity

  • 1 unique contributor(s) across 100 commits in henryliu443/Automated-sing-box-json-generator
  • Single author but highly active (100 commits)

🔬 Heuristic Checks

Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • # 获取远程最新 commit req = urllib.request.Request( "https://api.github.com/repos/henryliu4
  • cker"} ) with urllib.request.urlopen(req, timeout=2) as resp: data = json.loa
  • ) if data else None req = urllib.request.Request(url, data=body, method=method) req.add_header("A
  • json") try: with urllib.request.urlopen(req, timeout=30) as resp: result = json.
  • def _check_ip(url): req = urllib.request.Request(url, headers={"User-Agent": "sing-box-deploy"})
  • "sing-box-deploy"}) with urllib.request.urlopen(req, timeout=10) as resp: ip = resp.read().d
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • (url) try: res = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=Tr
  • tening try: res = subprocess.run(["ss", "-Hltnp"], stdout=subprocess.PIPE, text=True)
  • try: not_expiring = subprocess.run( [ "openssl", "x
  • e try: san_ext = subprocess.check_output( ["openssl", "x509", "-in", cert_path, "-noout",
  • _ENV] = cf_zone_id proc = subprocess.Popen( cmd, shell=True, stdout=subprocess.PIPE, st
  • 获取本地 git commit res = subprocess.run(["git", "rev-parse", "HEAD"], capture_output=True, text=True
Credential Harvesting score 7.5

Found 3 credential access pattern(s)

  • if secret: return getpass.getpass(text) return input(text) read_stream, write_str
  • if secret: return getpass.getpass(text) return input(text) fd = read_stream.filen
  • try: return getpass.getpass(text) except EOFError: return _read_prom
Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: gmail.com>

Suspicious Page Links

All external links appear legitimate

Git Repository History score 2.5

Git history flags: Repository has zero stars and zero forks

  • Repository has zero stars and zero forks
Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with automated-sing-box-generator 
构建一个名为 'SingBox-WARP-Deployer' 的小型应用程序,该应用利用 'automated-sing-box-generator' 包来实现Sing-box与Cloudflare WARP的一键自动部署。此应用将帮助用户快速配置和启动Sing-box代理服务,并通过Cloudflare WARP增加额外的网络安全性。

### 应用功能要求:
1. 用户界面:提供友好的图形用户界面(GUI),使用户能够轻松选择安装Sing-box所需的操作系统、版本等信息。
2. 自动化部署:根据用户选择的配置选项,使用 'automated-sing-box-generator' 包自动下载并安装Sing-box。
3. WARP集成:自动注册并激活Cloudflare WARP账户,确保Sing-box能够利用WARP提供的加密隧道。
4. 配置管理:允许用户管理和修改Sing-box的配置文件,包括代理类型、端口设置等。
5. 状态监控:实时显示Sing-box运行状态以及网络连接情况。
6. 日志查看:提供日志查看功能,帮助用户诊断可能出现的问题。
7. 更新检查:定期检查Sing-box及 'automated-sing-box-generator' 包是否有更新,并提示用户进行更新。

### 利用 'automated-sing-box-generator' 包的方式:
- 在用户选择完成所有配置选项后,调用 'automated-sing-box-generator' 包的相关函数开始自动化部署过程。
- 使用包中的函数来处理Sing-box与Cloudflare WARP之间的交互,如注册、登录、配置等操作。
- 利用包中提供的API或命令行接口来控制Sing-box的启动、停止、重启等基本操作。
- 当用户需要修改配置时,可以使用包提供的接口来安全地读取和写入配置文件。

### 开发步骤建议:
1. 安装必要的Python库和开发环境。
2. 设计并实现GUI界面。
3. 集成 'automated-sing-box-generator' 包,编写相应的调用逻辑。
4. 实现状态监控和日志查看功能。
5. 测试整个应用的功能性和稳定性。
6. 发布应用,收集反馈并持续优化。

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!