axm-audit

v0.9.0 suspicious
5.0
Medium Risk

Code auditing and quality rules for AXM

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits moderate risks due to network interactions and use of subprocess for git operations, though no direct evidence of malicious behavior was found.

  • network interactions with external services
  • use of subprocess for git operations
Per-check LLM notes
  • Network: The network calls suggest the package interacts with external services, which could be legitimate but warrants further investigation to confirm its purpose.
  • Shell: Use of subprocess for git operations may indicate the package performs version control actions locally, but it also poses a risk if commands are executed without proper validation or control.
  • Obfuscation: No obfuscation patterns detected, indicating low risk of malicious intent.
  • Credentials: No credential harvesting patterns detected, suggesting no immediate threat to stored secrets.
  • Metadata: The missing repository and short author details raise concerns about the legitimacy of the package.

📦 Package Quality Overall: Medium (6.2/10)

✦ High Test Suite 9.0

Test suite present — 13 test file(s) found

  • 13 test file(s) detected (e.g. test_runner.py)
◈ Medium Documentation 7.0

Some documentation present

  • Documentation URL: "Documentation" -> https://axm-protocols.github.io/axm-audit/
  • Detailed PyPI description (10291 chars)
◈ Medium Contributing Guide 7.0

Some contribution signals present

  • Governance file: security.py
◈ Medium Type Annotations 7.0

Partial type annotation coverage

  • Classifier: Typing :: Typed
  • Type checker (mypy / pyright / pytype) referenced in project
  • 1090 type-annotated function signatures detected in source
○ Low Multiple Contributors 1.0

Could not retrieve contributor data from GitHub

  • GitHub API error: 404

🔬 Heuristic Checks

Outbound Network Calls score 4.5

Found 3 network call pattern(s)

  • .create_connection", "urllib.request.urlopen", "urllib.urlopen", "requests.get",
  • expr) -> bool: """Match ``requests.get(...)`` — direct attribute on a library name.""" return i
  • expr) -> bool: """Match ``httpx.AsyncClient().get(...)`` — constructor call chain.""" if not isinsta
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • args: str) -> str: return subprocess.check_output( ["git", *args], cwd=REPO_ROOT, text=True, stderr=su
  • in any cluster.""" res = subprocess.run( ["git", "archive", sha, "packages/axm-audit"],
  • None: try: return subprocess.check_output( ["git", "show", f"{commit}:{file}"],
  • ath) try: return subprocess.run( # noqa: S603 full_cmd, timeout=tim
  • ree): return rc = subprocess.run( ["git", "rm", "-q", str(source)], capture_o
  • ia git_mv" ) rc = subprocess.run( ["git", "mv", str(src), str(dst)], capture_
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: axm-protocols.io>

Suspicious Page Links

All external links appear legitimate

Git Repository History score 3.0

Repository not found (deleted or private)

  • Repository not found (deleted or private)
Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with axm-audit 
Your task is to develop a fully functional code auditing tool named 'AXM-QualityGuard' using the Python package 'axm-audit'. This tool will serve as a comprehensive solution for developers to ensure their AXM-based projects adhere to best practices and maintain high-quality standards. The application should include the following key functionalities:

1. **Project Initialization**: Allow users to specify the path to their AXM project directory. The tool should automatically scan and load all relevant files.
2. **Code Audit Execution**: Utilize 'axm-audit' to run predefined quality checks on the loaded codebase. These checks should cover aspects such as coding style, potential bugs, security vulnerabilities, and performance optimizations.
3. **Report Generation**: After the audit process, generate a detailed report summarizing the findings. This report should include categories like 'Passed', 'Warning', and 'Failed' with specific reasons and suggestions for improvement.
4. **Interactive Suggestions**: For issues flagged during the audit, provide interactive suggestions or fixes directly within the tool. Users should be able to apply these suggestions with a single click or manually adjust them as needed.
5. **Custom Rules Support**: Enable users to define their own custom audit rules if the default set provided by 'axm-audit' does not meet their specific needs. These custom rules should be saved and reusable across multiple audits.
6. **User Interface**: Develop a user-friendly graphical interface using a library like PyQt or Tkinter, making it easy for non-technical users to interact with the tool.
7. **Integration Capabilities**: Offer options to integrate the audit results into popular Continuous Integration/Continuous Deployment (CI/CD) systems like Jenkins or GitHub Actions.
8. **Performance Optimization**: Ensure the tool is efficient and can handle large codebases without significant delays.

To achieve these goals, you'll need to utilize the 'axm-audit' package effectively. Specifically, leverage its ability to define and execute custom audit rules, interpret audit results, and generate actionable feedback. Your final product should not only highlight issues but also empower developers to improve their code quality continuously.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!