AI Analysis
Final verdict: SUSPICIOUS
The package has legitimate-looking functionality but shows signs of low effort and a newly created account, raising concerns about its authenticity and potential malicious intent.
- Metadata risk indicating low effort and new account creation
- Legitimate network calls for authentication and dataset authorization
Per-check LLM notes
- Network: The network calls appear to be related to authentication and dataset authorization, which could be legitimate for a downloader package.
- Shell: No shell execution patterns were detected.
- Obfuscation: No obfuscation patterns detected, indicating low risk.
- Credentials: No credential harvesting patterns detected, indicating low risk.
- Metadata: The package shows signs of low effort and a newly created account, which raises suspicion.
Heuristic Checks
Outbound Network Calls
score 6.0
Found 4 network call pattern(s)
" try: response = requests.get( f"{API_BASE}/auth/dataset/authorize",ownloader import requests requests.get(url) requests.post(url, json=data) """ import socket frosts requests.get(url) requests.post(url, json=data) """ import socket from typing import Any im} response = requests.post( login_api, json={"accessKey": ak, "
Code Obfuscation
No obfuscation patterns detected
Shell / Subprocess Execution
No shell execution patterns detected
Credential Harvesting
No credential harvesting patterns detected
Typosquatting
No typosquatting candidates detected
Registered Email Domain
Email domain looks legitimate: baai.ac.cn>
Suspicious Page Links
All external links appear legitimate
Git Repository History
No GitHub repository linked
No GitHub repository link found
Maintainer History
score 8.0
4 maintainer concern(s) found
Only one version has ever been released — brand new packagePackage uploaded less than 24 hours ago (2026-06-05T08:24:55.000Z)Author "史红光" appears to have only 1 package on PyPI (new or inactive account)Package has no PyPI classifiers (low effort / metadata quality)