lmms-video-utils

v0.1.0 suspicious
4.0
Medium Risk

Codec-stream video frontend for LMMs (LLaVA-OneVision-2 style).

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits some suspicious behavior, particularly around network activity and metadata quality, but lacks clear indicators of malicious intent such as shell execution or credential harvesting.

  • network risk due to potential partial downloads
  • low metadata quality and lack of associated GitHub repository
Per-check LLM notes
  • Network: The network calls suggest the package is designed to download files, possibly video samples, which is somewhat expected for a package named 'lmms-video-utils'. However, the use of .part files may indicate partial downloads, raising some suspicion.
  • Shell: No shell execution patterns were detected, indicating no direct system command execution risk.
  • Obfuscation: No obfuscation patterns detected, indicating low risk.
  • Credentials: No credential harvesting patterns detected, indicating low risk.
  • Metadata: The package is newly created with low metadata quality and no associated GitHub repository, raising suspicion.

🔬 Heuristic Checks

Outbound Network Calls score 6.0

Found 4 network call pattern(s)

  • suffix(".mp4.part") req = urllib.request.Request(URL, headers={"User-Agent": "Mozilla/5.0"}) with
  • nt": "Mozilla/5.0"}) with urllib.request.urlopen(req, timeout=60) as r, open(tmp, "wb") as f:
  • t.suffix + ".part") req = urllib.request.Request(SAMPLE_URL, headers={"User-Agent": "Mozilla/5.0"})
  • /5.0"}) try: with urllib.request.urlopen(req, timeout=60) as r, open(tmp, "wb") as f:
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution

No shell execution patterns detected

Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 8.0

4 maintainer concern(s) found

  • Only one version has ever been released — brand new package
  • Package uploaded less than 24 hours ago (2026-06-05T04:18:21.000Z)
  • Author "LMMs-Lab" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)