AI Analysis
Final verdict: SUSPICIOUS
The package exhibits moderate risks due to its metadata quality and new maintainer's limited history, despite having low risks in other areas such as shell execution and credential harvesting.
- Metadata risk is high due to missing git repository and poor metadata quality.
- New maintainer with limited historical contributions.
Per-check LLM notes
- Network: The use of network calls to localhost might be intended for local testing or debugging but could also indicate unexpected behavior.
- Shell: No shell execution patterns were detected.
- Obfuscation: No obfuscation patterns detected, indicating low risk.
- Credentials: No credential harvesting patterns detected, indicating low risk.
- Metadata: The package shows several red flags including lack of a git repo, low metadata quality, and a new maintainer with limited history.
Heuristic Checks
Outbound Network Calls
score 3.0
Found 2 network call pattern(s)
try: with socket.create_connection(("127.0.0.1", port), timeout=0.1): breakut=None) -> str: with httpx.Client(timeout=timeout or self._timeout) as c: r = c.po
Code Obfuscation
No obfuscation patterns detected
Shell / Subprocess Execution
No shell execution patterns detected
Credential Harvesting
No credential harvesting patterns detected
Typosquatting
No typosquatting candidates detected
Registered Email Domain
No author email provided
Suspicious Page Links
All external links appear legitimate
Git Repository History
No GitHub repository linked
No GitHub repository link found
Maintainer History
score 8.0
4 maintainer concern(s) found
Only one version has ever been released — brand new packagePackage uploaded less than 24 hours ago (2026-06-05T06:01:15.000Z)Author "R&D Team" appears to have only 1 package on PyPI (new or inactive account)Package has no PyPI classifiers (low effort / metadata quality)