usecix

v1.0.6 suspicious
6.0
Medium Risk

Git-anchored cloud-first code index + MCP for Claude, Codex, and Gemini

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits several red flags including a high metadata risk score due to its recent upload and lack of maintainer history, along with a medium risk of credential exposure. These factors combined suggest potential malicious intent, though direct evidence of harmful activity is not confirmed.

  • High metadata risk
  • Medium credential risk
Per-check LLM notes
  • Network: The network calls seem to be checking the status of external services or fetching metadata, which could be benign if related to package updates or health checks.
  • Shell: The shell execution patterns involve Git commands, possibly for version control operations within the package's development environment, but without context, there is a concern for unintended actions or access.
  • Obfuscation: No obfuscation patterns were detected.
  • Credentials: The code retrieves a GitHub token from an environment variable or a function argument, which could indicate legitimate use but also poses a risk for credential harvesting.
  • Metadata: The package is highly suspicious due to its recent upload and lack of maintainer history.

🔬 Heuristic Checks

Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • ealth' try: req = urllib.request.Request(probe_url, method='GET') with urllib.request
  • l, method='GET') with urllib.request.urlopen(req, timeout=timeout_s) as resp: ok = 20
  • st() -> str | None: req = urllib.request.Request( _PYPI_URL, headers={"Accept": "appl
  • , ) try: with urllib.request.urlopen(req, timeout=_FETCH_TIMEOUT_SECONDS) as resp:
  • '/v1/auth/exchange' req = urllib.request.Request(url, data=b'{}', method='POST') req.add_header('
  • /json') try: with urllib.request.urlopen(req, timeout=timeout) as resp: body = js
Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 10.0

Found 6 shell execution pattern(s)

  • r.""" try: return subprocess.check_output( ["git", *args], cwd=repo_root, text
  • rocess try: out = subprocess.run( ['git', 'rev-parse', '--show-toplevel'],
  • ) try: result = subprocess.run( ['git', 'status', '--short'], cwd=s
  • r on failure.""" result = subprocess.run( ['git', *args], cwd=repo_root, capt
  • language. """ proc = subprocess.run( ['git', 'show', f':{path}'], cwd=repo_root,
  • """ try: result = subprocess.run( ['git', '-C', repo_root, 'log', f'
Credential Harvesting score 2.5

Found 1 credential access pattern(s)

  • f token = github_token or os.environ.get('GITHUB_TOKEN') if token: payload['github_token'] = token
Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 10.0

5 maintainer concern(s) found

  • Only one version has ever been released — brand new package
  • Package uploaded less than 24 hours ago (2026-06-05T06:35:49.000Z)
  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)