🤖 AI Analysis

Final verdict: SUSPICIOUS

The package has low risks associated with network usage, shell execution, obfuscation, and credential handling. However, the metadata risk is high due to recent suspicious activity in the repository and from the maintainer, raising concerns about potential tampering.

High metadata risk due to suspicious repository activity
No other significant risks identified

Per-check LLM notes

Network: No network calls detected, which is normal unless the package requires network interaction for its functionality.
Shell: No shell execution patterns detected, indicating no immediate signs of executing system commands.
Obfuscation: No obfuscation patterns detected, indicating low risk of malicious intent.
Credentials: No credential harvesting patterns detected, indicating secure handling of sensitive information.
Metadata: High risk due to recent and suspicious repository and maintainer activity.

🔬 Heuristic Checks

✓ Outbound Network Calls

No suspicious network call patterns found

✓ Code Obfuscation

No obfuscation patterns detected

✓ Shell / Subprocess Execution

No shell execution patterns detected

✓ Credential Harvesting

No credential harvesting patterns detected

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

Email domain looks legitimate: gmail.com>

✓ Suspicious Page Links

All external links appear legitimate

⚠ Git Repository History score 10.0

Git history flags: Repository created very recently: 0 day(s) ago (2026-06-05T08:32:37Z)

Repository created very recently: 0 day(s) ago (2026-06-05T08:32:37Z)
Repository appears empty (size = 0)
Very few commits: 2 total
Single contributor with only 2 commit(s) — possibly throwaway account

⚠ Maintainer History score 10.0

5 maintainer concern(s) found

Only one version has ever been released — brand new package
Package uploaded less than 24 hours ago (2026-06-05T09:44:40.000Z)
Author name is missing or very short
Author "" appears to have only 1 package on PyPI (new or inactive account)
Package has no PyPI classifiers (low effort / metadata quality)

✓ Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with decision-provenance

Create a mini-application that monitors and logs the decision-making process of a simple machine learning model using the 'decision-provenance' package. This application will serve as a tamper-evident audit log for the inference pipeline of the model, ensuring transparency and accountability in its decision-making process.

Step 1: Set up a basic machine learning model. For simplicity, use a pre-trained sentiment analysis model from a library like Hugging Face's Transformers.

Step 2: Integrate the 'decision-provenance' package into your application. Configure it to record every decision made by the model during inference, including input data, intermediate states, and final predictions.

Step 3: Develop a user interface where users can input text for sentiment analysis. Ensure that the application captures this input and passes it through the sentiment analysis model.

Step 4: Utilize 'decision-provenance' to log each inference made by the model. This includes logging the original input, any transformations applied to the input before inference, the model's internal state at key points, and the final output prediction.

Step 5: Implement a feature that allows users to review the logged decisions. This feature should provide insights into how the model arrived at its prediction, showcasing the tamper-evident nature of the logs provided by 'decision-provenance'.

Suggested Features:
- Real-time visualization of the model's internal state during inference.
- A history log that users can query based on specific inputs or outputs.
- Anomaly detection system that flags unusual patterns in the model's decision-making process.
- Export functionality for the logs in a tamper-proof format, such as a blockchain-based ledger or a digitally signed document.