Package Metadata

Author: —
Email: mcp-tool-shop <[email protected]>
PyPI: backpropagate
Python: >=3.10
Versions: 17 releases
First release: 19 Jan 2026, 11:56 UTC
Analysed: 08 Jun 2026, 20:55 UTC
Source files: 61 .py files scanned

Project Links

Changelog Documentation Homepage Issues Repository

Classifiers

Development Status :: 5 - Production/StableIntended Audience :: DevelopersIntended Audience :: Science/ResearchLicense :: OSI Approved :: MIT LicenseOperating System :: OS IndependentProgramming Language :: Python :: 3Programming Language :: Python :: 3.10Programming Language :: Python :: 3.11Programming Language :: Python :: 3.12Programming Language :: Python :: 3.13

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits multiple high-risk indicators including potential credential harvesting, obfuscation techniques, and shell command execution. These factors collectively suggest a significant likelihood of malicious intent.

References to sensitive files and paths
Obfuscation through Base64 decoding
Shell command execution capabilities

Per-check LLM notes

Network: No network calls detected, which is normal unless the package relies on external services.
Shell: The presence of shell command execution suggests the package may interact with system commands, which could be risky if not properly sanitized or controlled.
Obfuscation: The presence of Base64 decoding and attempts to validate strings suggests an attempt to hide or secure code logic, which may indicate obfuscation for malicious purposes.
Credentials: References to sensitive files like ``~/.ssh/id_rsa`` and ``/etc/passwd``, along with path traversal errors, strongly suggest an intent to harvest credentials or access restricted files.
Metadata: The maintainer's author name is missing or very short and seems to be a new or inactive account, raising some concerns but not definitive proof of malice.

📦 Package Quality Overall: Medium (7.6/10)

✦ High Test Suite 9.0

Test suite present — 12 test file(s) found

Test runner config found: conftest.py
Test runner config found: pyproject.toml
12 test file(s) detected (e.g. __init__.py)

◈ Medium Documentation 7.0

Some documentation present

Documentation URL: "Documentation" -> https://github.com/mcp-tool-shop-org/backpropagate#readme
Detailed PyPI description (33007 chars)

✦ High Contributing Guide 9.0

Has contribution guidelines and governance files

Governance file: security.py
Development Status classifier >= Beta

◈ Medium Type Annotations 7.0

Partial type annotation coverage

Classifier: Typing :: Typed
552 type-annotated function signatures detected in source

◈ Medium Multiple Contributors 6.0

Limited contributor diversity

2 unique contributor(s) across 100 commits in mcp-tool-shop-org/backpropagate
Two distinct contributors found

🔬 Heuristic Checks

✓ Outbound Network Calls

No suspicious network call patterns found

⚠ Code Obfuscation score 10.0

Found 6 obfuscation pattern(s)

e try: decoded = base64.b64decode(parts[1], validate=True).decode("utf-8") except (ValueEr
len("Basic "):] decoded = base64.b64decode(encoded).decode("utf-8") assert decoded == "alice:hunter
"][len("Basic "):] assert base64.b64decode(encoded).decode("utf-8") == ":" def test_ws_recorder_detec
._device) self._model.eval() logger.info(f"Model loaded on {self._device}")
return None model.eval() total = 0.0 counted = 0 with torch.no_grad():
port torch # lazy model.eval() samples: list[GenerationSample] = [] do_sample = t

⚠ Shell / Subprocess Execution score 10.0

Found 5 shell execution pattern(s)

e child. BRIDGE-A-004: ``subprocess.run(cmd, timeout=N)`` does NOT reliably forward SIGINT / Ctr
_output else None proc = subprocess.Popen( # noqa: S603 — argv is callee-controlled here cmd,
[] try: result = subprocess.run( ["ollama", "list"], capture_output=
dels's timeout shape. subprocess.run( ["ollama", "rm", model_name], captu
s flags. result = subprocess.run( [cmd, "diff-runs", "--", self.current_run_i

⚠ Credential Harvesting score 10.0

Found 6 credential access pattern(s)

link to ``~/.ssh/id_rsa`` / ``/etc/passwd`` would # otherwise be uploaded verbatim to the pu
>>> safe_path("../../etc/passwd", allowed_base="/models") PathTraversalError: Path
athTraversalError: Path '../../etc/passwd' escapes allowed directory '/models' >>> safe_path
>>> safe_path("/etc/../etc/passwd") PathTraversalError: Path traversal detected in: /
traversal detected in: /etc/../etc/passwd """ path = Path(user_path) # Check for relativ
ion-shaped value (e.g. ``--to=/etc/passwd`` or ``-o``) is parsed by # the downstream argparse-based C

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

Email domain looks legitimate: users.noreply.github.com>

✓ Suspicious Page Links

All external links appear legitimate

✓ Git Repository History

Repository mcp-tool-shop-org/backpropagate appears legitimate

⚠ Maintainer History score 4.0

2 maintainer concern(s) found

Author name is missing or very short
Author "" appears to have only 1 package on PyPI (new or inactive account)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with backpropagate

Your task is to create a mini-application that allows users to fine-tune their own language models using the 'backpropagate' package. This application will serve as a user-friendly interface for experimenting with different datasets and configurations without needing deep knowledge of machine learning principles. Here are the steps and features your app should include:

1. **Setup**: Begin by installing the 'backpropagate' package and any other necessary dependencies.
2. **User Interface**: Develop a simple, intuitive UI where users can upload their custom dataset (text files, CSVs, etc.) and select from predefined model architectures or input their own.
3. **Configuration Options**: Allow users to tweak parameters such as batch size, learning rate, epochs, and loss functions directly through the UI.
4. **Fine-Tuning Process**: Utilize 'backpropagate' to handle the fine-tuning process. Ensure the application leverages the package's smart defaults for ease of use while allowing advanced customization.
5. **Progress Tracking**: Implement real-time progress tracking so users can monitor the training process.
6. **Model Evaluation**: After training, provide metrics and visualizations for evaluating the performance of the fine-tuned model.
7. **Deployment Options**: Once satisfied, users should have the option to save and export their model for future use or deployment.

Incorporate these elements into a cohesive application that showcases the capabilities of 'backpropagate', making it accessible for both beginners and experienced developers.

💬 Discussion Feed

No discussion yet. Be the first to share your thoughts!

🤖 AI Analysis

📦 Package Quality Overall: Medium (7.6/10)

🔬 Heuristic Checks

💡 AI App Starter Prompt

💬 Discussion Feed

Leave a comment

Report Abuse / Security Issue