autoplay-setup

v0.1.0 suspicious
6.0
Medium Risk

CLI wrapper that wires PostHog → Autoplay event streaming into a customer's project.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits high shell risk and metadata risk due to its execution of potentially harmful shell commands and lack of detailed metadata. While there is no evidence of obfuscation or credential harvesting, the combination of these factors raises suspicion about its legitimacy.

  • High shell risk due to potential unintended side effects
  • Lack of author details and associated GitHub repository
Per-check LLM notes
  • Network: Network calls could be legitimate if the package requires external API interactions, but the incomplete code suggests potential undefined behavior.
  • Shell: Executing shell commands, especially with global installations and model-specific commands, raises concerns about unintended side effects or potential misuse.
  • Obfuscation: No obfuscation patterns detected, indicating low risk of malicious obfuscation.
  • Credentials: No credential harvesting patterns detected, suggesting no immediate risk of secret theft.
  • Metadata: The package is new, lacks author details, and has no associated GitHub repository, raising concerns about its legitimacy.

🔬 Heuristic Checks

Outbound Network Calls score 7.5

Found 5 network call pattern(s)

  • s None client = client or httpx.AsyncClient(timeout=_TIMEOUT_SECONDS) try: response = await
  • s None client = client or httpx.AsyncClient(timeout=_TIMEOUT_SECONDS) try: await client.post
  • httpx.AsyncClient: return httpx.AsyncClient(transport=httpx.MockTransport(handler)) # type: ignore[arg-
  • : ignore[arg-type] return httpx.AsyncClient(transport=transport) async def test_success() -> None:
  • tpx.Response(204) return httpx.AsyncClient(transport=httpx.MockTransport(handler)) async def test_eve
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 6.0

Found 3 shell execution pattern(s)

  • return False result = subprocess.run( ["npm", "install", "-g", _NPM_PACKAGE], che
  • of every action. result = subprocess.run( [ "claude", "--model",
  • id", project_id] result = subprocess.run( cmd, cwd=str(project_root), env=env, check=False
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 10.0

5 maintainer concern(s) found

  • Only one version has ever been released — brand new package
  • Package uploaded less than 24 hours ago (2026-06-05T07:35:11.000Z)
  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)