tinytasktree

v0.1.6 suspicious
5.0
Medium Risk

A tiny async task-tree orchestrator for Python, behavior-tree inspired and LLM-ready.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package shows signs of legitimate use with shell execution possibly for development purposes. However, the use of pickle.loads and recent upload date with non-secure links raise concerns about potential obfuscation and security issues.

  • Shell execution detected
  • Use of pickle.loads
  • Recent upload with non-secure links
Per-check LLM notes
  • Network: No network calls detected.
  • Shell: Shell execution detected may be for building UI components, indicating possible legitimate use for development purposes.
  • Obfuscation: The use of pickle.loads might indicate an attempt to hide data structures or logic, but it could also be part of a legitimate data processing task.
  • Credentials: No clear patterns indicative of credential harvesting were found.
  • Metadata: The package was uploaded recently and has non-secure links which may indicate potential security issues.

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation score 2.0

Found 1 obfuscation pattern(s)

  • try: x = pickle.loads(w) if self._value_validator: # Need val
Shell / Subprocess Execution score 4.0

Found 2 shell execution pattern(s)

  • .join(install_cmd)}") subprocess.run(install_cmd, cwd=ui_dir, check=True) else: _log(
  • ir} cmd={npm} run build") subprocess.run([npm, "run", "build"], cwd=ui_dir, check=True) if not ui
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links score 8.0

Found 4 suspicious link(s) on the package page

  • Non-HTTPS external link: http://127.0.0.1:8000/{trace_id}
  • Non-HTTPS external link: http://127.0.0.1:8000
  • Non-HTTPS external link: http://127.0.0.1:8000/`
  • Non-HTTPS external link: http://127.0.0.1:8000/
Git Repository History

Repository orion-arm-ai/tinytasktree appears legitimate

Maintainer History score 6.0

3 maintainer concern(s) found

  • Package uploaded less than 24 hours ago (2026-06-05T06:10:18.000Z)
  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)