AI Analysis
Final verdict: SUSPICIOUS
The package shows signs of potential unsecured handling of sensitive environment variables and lacks clear metadata such as a full author name and a discoverable repository, indicating possible issues with transparency and security practices.
- credential risk due to unsecured handling of environment variables
- metadata risk due to missing author details and non-existent repository
Per-check LLM notes
- Network: No network calls detected, which is normal for many CLI tools.
- Shell: The use of shell execution to interact with Git suggests the tool might be performing version control operations locally, which could be part of its functionality but requires further investigation into its purpose.
- Obfuscation: No signs of code obfuscation detected.
- Credentials: Several instances of potential unsecured handling of environment variables that may contain sensitive information.
- Metadata: The package has a missing or short author name and the repository is not found, raising suspicion.
Package Quality Overall: Low (4.4/10)
✦ High
Test Suite
9.0
Test suite present — 27 test file(s) found
Test runner config found: pyproject.toml27 test file(s) detected (e.g. test_acceptance.py)
◈ Medium
Documentation
5.0
Some documentation present
Detailed PyPI description (8040 chars)
○ Low
Contributing Guide
2.0
No contributing guide or governance files found
No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium
Type Annotations
5.0
Partial type annotation coverage
233 type-annotated function signatures detected in source
○ Low
Multiple Contributors
1.0
Could not retrieve contributor data from GitHub
GitHub API error: 404
Heuristic Checks
Outbound Network Calls
No suspicious network call patterns found
Code Obfuscation
No obfuscation patterns detected
Shell / Subprocess Execution
score 10.0
Found 5 shell execution pattern(s)
try: process = subprocess.Popen( cmd, cwd=repo_path,add_result = subprocess.run( ["git", "add", str(filess try: result = subprocess.run( ["git", "rev-parse", "--show-toplevel"],.perf_counter() result = subprocess.run( cmd, stdout=subprocess.PIPE, stdtime.perf_counter() r = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
Credential Harvesting
score 10.0
Found 6 credential access pattern(s)
API_KEY", "")', 'token = os.environ.get("TOKEN", "default")', ] # Unsupported contexts that should becoded-key-12345" also_safe = os.environ.get("TOKEN", "") another_unsafe = "ghp_realtoken1234567890abcdef"etenv("API_KEY", "") token = os.environ.get("TOKEN") secret = os.getenv("SECRET", None) CONFIG_NAME = "pro_PASSWORD")', 'api_key = os.getenv("API_KEY", "")', 'token = os.environ.get("TOKEN", "default")',= 'class Settings: API_KEY = os.getenv("API_KEY", "fallback-secret")' issues = ast_engine.analyze(code,.""" import os safe_key = os.getenv("API_KEY") unsafe_key = "sk-live-hardcoded-key-12345" also_safe =
Typosquatting
No typosquatting candidates detected
Registered Email Domain
No author email provided
Suspicious Page Links
All external links appear legitimate
Git Repository History
score 3.0
Repository not found (deleted or private)
Repository not found (deleted or private)
Maintainer History
score 4.0
2 maintainer concern(s) found
Author name is missing or very shortAuthor "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities
No known vulnerabilities found in OSV database.
AI App Starter Prompt
Use this prompt to build a project with autonoma-cli
Create a fully-functional mini-application named 'SecretHunter' that leverages the 'autonoma-cli' package to detect and safely manage hardcoded secrets within Python scripts and configuration files. The application should be designed to scan a specified directory and its subdirectories for any files containing Python code or common configuration file types (e.g., .json, .yaml, .env). It should then use 'autonoma-cli' to identify any potential hardcoded secrets such as API keys, passwords, or tokens. Once detected, the application should provide options for either redacting these secrets directly in the file or exporting them to a secure vault service like HashiCorp Vault for safer storage. Additionally, implement a feature that allows users to specify custom patterns or regular expressions for more granular control over what constitutes a 'hardcoded secret'. The application should also include a user-friendly command-line interface (CLI) for easy interaction and configuration. Ensure that the application is well-documented and includes examples of how to integrate it into existing development workflows.
💬 Discussion Feed
No discussion yet. Be the first to share your thoughts!
Report Abuse / Security Issue