warpos

v0.1.0 suspicious
6.0
Medium Risk

The open-source platform for AI agents. Write logic, deploy everything.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package warpos v0.1.0 exhibits high obfuscation risk due to the use of eval with user input and moderate credential risk from checking for a Discord token. These factors, combined with its lack of maintainer history and sparse metadata, suggest potential malicious intent.

  • High obfuscation risk due to eval usage
  • Moderate credential risk due to Discord token check
Per-check LLM notes
  • Network: No network calls detected, which is normal if the package does not require internet access.
  • Shell: No shell execution patterns detected, indicating the package likely does not execute system commands.
  • Obfuscation: The use of eval with user input is highly suspicious and poses a significant risk as it can execute arbitrary code.
  • Credentials: The presence of code that checks for an environment variable for a Discord token suggests the package may be designed to run a bot, but without more context, there's a risk it could be harvesting credentials.
  • Metadata: The package is brand new with no maintainer history and lacks critical information such as author details, raising suspicion.

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation score 2.0

Found 1 obfuscation pattern(s)

  • """ try: result = eval(expression) # noqa: S307 return str(result) exc
Shell / Subprocess Execution

No shell execution patterns detected

Credential Harvesting score 2.5

Found 1 credential access pattern(s)

  • se) def main(): token = os.environ.get("DISCORD_TOKEN") if not token: print("Error: Set DISCORD_
Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

No GitHub repository linked

  • No GitHub repository link found
Maintainer History score 10.0

5 maintainer concern(s) found

  • Only one version has ever been released — brand new package
  • Package uploaded less than 24 hours ago (2026-06-05T04:07:52.000Z)
  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
  • Package has no PyPI classifiers (low effort / metadata quality)