pharnoss

v0.2.0 suspicious
4.0
Medium Risk

Project-agnostic Goal B operating layer: bind sub-goals to goals via executable anchors, machine-checked.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package shows moderate risk due to potential shell execution and the recent upload without a corresponding GitHub repository, suggesting it may require closer scrutiny.

  • Shell execution present
  • Lack of associated GitHub repository
Per-check LLM notes
  • Network: No network calls detected.
  • Shell: Shell execution is present and could potentially be used for unauthorized actions if not properly controlled.
  • Obfuscation: No obfuscation patterns detected, indicating low risk of malicious activity related to code obfuscation.
  • Credentials: No credential harvesting patterns detected, indicating low risk of malicious activity related to secret or credential theft.
  • Metadata: The recent upload and lack of a GitHub repository suggest potential low effort or new maintainer activity, but insufficient evidence for high suspicion.

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 2.0

Found 1 shell execution pattern(s)

  • try: proc = subprocess.run(shlex.split(cmd), cwd=cfg["root"], capture_output=not report
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 6.0

3 maintainer concern(s) found

  • Package uploaded less than 24 hours ago (2026-06-05T07:47:56.000Z)
  • Author "Ian Chu" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)