clanker-gguf

v1.0.4 suspicious
5.0
Medium Risk

LLM Turbo-Optimizer CLI. detect hardware, parse GGUF models, generate optimized llama-server commands.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package has a moderate risk score due to its use of subprocess calls and limited maintainer activity, raising concerns about potential supply-chain risks.

  • High shell risk due to subprocess calls
  • Low maintainer activity and engagement
Per-check LLM notes
  • Network: The use of 'requests.head' is generally benign and could be used for checking the existence of resources.
  • Shell: Subprocess calls can be risky if not properly sanitized, suggesting potential execution of arbitrary commands which may lead to security vulnerabilities.
  • Obfuscation: No obfuscation patterns detected, indicating low risk.
  • Credentials: No credential harvesting patterns detected, indicating low risk.
  • Metadata: The package is newly uploaded with minimal maintainer history and low engagement in the git repository, indicating potential risk.

🔬 Heuristic Checks

Outbound Network Calls score 1.5

Found 1 network call pattern(s)

  • resp = requests.head(url, timeout=15, allow_redirects=True)
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • pt. try: result = subprocess.run(cmd, cwd=cwd) return result.returncode except Ke
  • allback. try: r = subprocess.run( [cli, "-hf", f"{repo_id}:{quant}"],
  • filename try: r = subprocess.run( [cli, "-hf", repo_id, "-f", filename],
  • try: name_result = subprocess.run( [nvidia_smi, "--query-gpu=name", "--format=csv,
  • else "" mem_result = subprocess.run( [ nvidia_smi, "
  • t]: try: result = subprocess.run( ["sh", "-c", "ulimit -l"], capture_
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History score 2.5

Git history flags: Repository has zero stars and zero forks

  • Repository has zero stars and zero forks
Maintainer History score 4.0

2 maintainer concern(s) found

  • Package uploaded less than 24 hours ago (2026-06-05T03:01:50.000Z)
  • Author "Clanker Contributors" appears to have only 1 package on PyPI (new or inactive account)