awx-zipline-ai

v0.4.9 suspicious
6.0
Medium Risk

CLI tool for the Zipline AI platform

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits multiple risk factors including potential credential misuse, network calls, and use of shell commands, which collectively raise concerns about its integrity and legitimacy.

  • Credential risk due to access of AWS credentials from environment variables
  • Use of shell commands potentially introducing execution risks
Per-check LLM notes
  • Network: The detected network calls could be part of legitimate authentication and session management processes, but they warrant further investigation to ensure they align with the package's intended functionality.
  • Shell: The use of shell commands may serve legitimate purposes like version control operations, yet it introduces potential execution risks that should be carefully reviewed.
  • Obfuscation: The code uses Base64 decoding which can be used for obfuscation but is also common in legitimate applications for data encoding and decoding.
  • Credentials: The package accesses environment variables for AWS credentials which could indicate potential misuse unless it's documented that these are required for the package's functionality.
  • Metadata: Low risk but shows signs of low maintainer engagement and metadata quality.

📦 Package Quality Overall: Medium (6.6/10)

✦ High Test Suite 9.0

Test suite present — 7 test file(s) found

  • 7 test file(s) detected (e.g. __init__.py)
◈ Medium Documentation 7.0

Some documentation present

  • Documentation URL: "documentation" -> https://docs.zipline.ai
  • Detailed PyPI description (3844 chars)
○ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 216 type-annotated function signatures detected in source
✦ High Multiple Contributors 10.0

Active multi-contributor project

  • 17 unique contributor(s) across 100 commits in zipline-ai/chronon
  • Active community — 5 or more distinct contributors

🔬 Heuristic Checks

Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • ilename}...") urllib.request.urlretrieve(jar_url, local_path) console.pri
  • ...") try: resp = requests.post( f"{base_url}/api/auth/device/code",
  • try: token_resp = requests.post( f"{base_url}/api/auth/device/token",
  • session_resp = requests.get( f"{base_url}/api/auth/get-session",
  • ken"] try: resp = requests.get( f"{base_url}/api/auth/token", heade
  • try: resp = requests.get( f"{base_url}/api/auth/get-session",
Code Obfuscation score 6.0

Found 3 obfuscation pattern(s)

  • decoded = base64.b64decode(auth_b64).decode() except Exception:
  • ta"][0] decoded = base64.b64decode(auth_data["authorizationToken"]).decode() userna
  • exceptions_if_json_format def eval( conf, repo, hub_url, use_auth, format,
Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • """ try: result = subprocess.run( ["git", "config", "user.email"], ca
  • ch() -> str: try: subprocess.check_output(["git", "rev-parse", "HEAD"], stderr=subprocess.DEVNULL)
  • return ( subprocess.check_output(["git", "rev-parse", "--abbrev-ref", "HEAD"]) .d
  • return ( subprocess.check_output(["git", "merge-base", base_branch, "HEAD"]) .dec
  • str]: try: return subprocess.check_output(["git", "show", f"{commit}:{file_path}"]).decode("utf-8")
  • t: {path}") try: subprocess.check_output(["git", "rev-parse", "HEAD"], stderr=subprocess.DEVNULL)
Credential Harvesting score 7.5

Found 3 credential access pattern(s)

  • LECTOR") aws_region = os.environ.get("AWS_REGION", os.environ.get("AWS_DEFAULT_REGION", "us-east-1"))
  • os.environ.get("AWS_REGION", os.environ.get("AWS_DEFAULT_REGION", "us-east-1")) job_id = self.conf_m
  • ts = 120 region = os.environ.get("AWS_REGION", "us-west-2") emr_serverless = boto3.cli
Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: zipline.ai>

Suspicious Page Links

All external links appear legitimate

Git Repository History

Repository zipline-ai/chronon appears legitimate

Maintainer History score 6.0

3 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with awx-zipline-ai 
Create a fully-functional mini-application named 'ZiplineAIWorkflow' using the Python package 'awx-zipline-ai'. This application will serve as a bridge between local development environments and the Zipline AI platform, enabling developers to easily manage their workflows and projects through command-line interactions. The application should support the following core functionalities:

1. **Project Management**: Users should be able to create new projects, list existing projects, and delete projects.
2. **Workflow Execution**: The application should allow users to upload workflows to the Zipline AI platform, execute them, and monitor their status.
3. **Resource Management**: Implement commands to manage resources such as datasets and models within the Zipline AI environment.
4. **Integration with Local Development**: Provide options to download project files from the Zipline AI platform for further local development and testing.
5. **Version Control**: Incorporate version control for workflows and projects, allowing users to track changes and revert to previous versions if necessary.
6. **Authentication and Security**: Ensure secure access to the Zipline AI platform through authentication mechanisms supported by the 'awx-zipline-ai' package.
7. **Logging and Reporting**: Include logging of all actions performed via the application and generate reports on workflow execution times and resource usage.

The 'awx-zipline-ai' package will be utilized to interact with the Zipline AI platform API, handling tasks such as authentication, project creation/deletion, workflow uploads/execution/status checks, and resource management. The application should be designed to be user-friendly, providing clear and concise output for each command executed. Additionally, consider implementing error handling and validation checks to ensure robustness and reliability of the application.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!