bankofai-x402-gateway

v0.6.1b0 suspicious
6.0
Medium Risk

YAML-driven x402 payment gateway for provider APIs

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits moderate risk due to potential shell execution risks and metadata issues, including non-secure links and a missing repository. These factors raise concerns about its integrity and security.

  • High shell risk due to subprocess.Popen usage
  • Repository not found and presence of non-secure links
Per-check LLM notes
  • Network: The network calls are typical for making HTTP requests and seem standard for a service gateway.
  • Shell: Executing external scripts via subprocess.Popen can be risky if not properly controlled, suggesting potential for unauthorized command execution.
  • Obfuscation: The use of base64 decoding and JSON loading might indicate an attempt to obscure code logic, but it could also be part of normal data processing in a legitimate application.
  • Credentials: No clear evidence of credential harvesting was found in the provided snippets.
  • Metadata: The package contains non-secure links and the repository is not found, raising suspicion.

🔬 Heuristic Checks

Outbound Network Calls score 6.0

Found 4 network call pattern(s)

  • , connect=3.0) async with httpx.AsyncClient(timeout=timeout, follow_redirects=False) as client:
  • ict[str, Any]: async with httpx.AsyncClient(timeout=httpx.Timeout(10.0, connect=3.0)) as client:
  • try: async with httpx.AsyncClient( base_url=url.rstrip("/"), timeout=httpx.Timeout
  • _RPC_DEFAULT) async with httpx.AsyncClient(timeout=httpx.Timeout(5.0, connect=2.0)) as client:
Code Obfuscation score 6.0

Found 3 obfuscation pattern(s)

  • der" decoded = json.loads(base64.b64decode(header).decode()) assert decoded["x402Version"] == 2
  • pay_response = json.loads(base64.b64decode(pay_response_header).decode()) assert pay_response["succ
  • er challenge = json.loads(base64.b64decode(header).decode()) assert challenge["x402Version"] == 2
Shell / Subprocess Execution score 2.0

Found 1 shell execution pattern(s)

  • directory; cd in. proc = subprocess.Popen( [sys.executable, str(DEMO_FACILITATOR_MAIN)],
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: bankofai.io>

Suspicious Page Links score 10.0

Found 13 suspicious link(s) on the package page

  • Non-HTTPS external link: http://127.0.0.1:4020/__402/health
  • Non-HTTPS external link: http://127.0.0.1:4020/__402/providers
  • Non-HTTPS external link: http://127.0.0.1:4020/__402/endpoints
  • Non-HTTPS external link: http://127.0.0.1:4021/supported
  • Non-HTTPS external link: http://127.0.0.1:4020
  • Non-HTTPS external link: http://127.0.0.1:4021
Git Repository History score 3.0

Repository not found (deleted or private)

  • Repository not found (deleted or private)
Maintainer History score 8.0

4 maintainer concern(s) found

  • Only one version has ever been released — brand new package
  • Package uploaded less than 24 hours ago (2026-06-05T02:26:56.000Z)
  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)