Package Metadata

Author: —
Email: Witty Team <[email protected]>
PyPI: wottys-test
Python: >=3.11
Versions: 1 release
First release: 05 Jun 2026, 06:54 UTC
Analysed: 05 Jun 2026, 07:16 UTC
Source files: 62 .py files scanned

Project Links

changelog documentation homepage repository

Classifiers

Development Status :: 4 - BetaIntended Audience :: DevelopersLicense :: OSI Approved :: MIT LicenseOperating System :: OS IndependentProgramming Language :: Python :: 3Programming Language :: Python :: 3.11Programming Language :: Python :: 3.12Programming Language :: Python :: 3.13Topic :: Software Development :: Libraries :: Application Frameworks

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package has a moderate risk score primarily due to the potential for executing shell commands and the high metadata risk. However, there is no evidence of obfuscation, network risks, or credential theft.

Shell risk due to potential execution of external commands
High metadata risk due to non-secure links and lack of maintainer history

Per-check LLM notes

Network: No network calls were detected.
Shell: The presence of shell execution suggests the package may execute external commands, which could be benign or part of its functionality, but also indicates potential risk if not properly controlled.
Obfuscation: No obfuscation patterns detected, indicating low risk.
Credentials: No credential harvesting patterns detected, indicating low risk.
Metadata: High risk due to non-secure links and lack of maintainer history.

🔬 Heuristic Checks

✓ Outbound Network Calls

No suspicious network call patterns found

✓ Code Obfuscation

No obfuscation patterns detected

⚠ Shell / Subprocess Execution score 8.0

Found 4 shell execution pattern(s)

nv.update(dict(env)) cp = subprocess.run(args, capture_output=True, text=True, env=merged_env) re
ce"] try: subprocess.run(command, check=True, capture_output=True, text=True)
try: result = subprocess.run(command, check=True, capture_output=True, text=True)
try: result = subprocess.run( [ "openclaw",

✓ Credential Harvesting

No credential harvesting patterns detected

✓ Typosquatting

No typosquatting candidates detected

✓ Registered Email Domain

Email domain looks legitimate: witty.dev>

⚠ Suspicious Page Links score 6.0

Found 3 suspicious link(s) on the package page

Non-HTTPS external link: http://127.0.0.1:8000/healthz
Non-HTTPS external link: http://127.0.0.1:8000/agents
Non-HTTPS external link: http://127.0.0.1:8000/agents/${AGENT_ID}/sessions/${SESSION_ID}/messages

⚠ Git Repository History score 3.0

Repository not found (deleted or private)

Repository not found (deleted or private)

⚠ Maintainer History score 8.0

4 maintainer concern(s) found

Only one version has ever been released — brand new package
Package uploaded less than 24 hours ago (2026-06-05T06:54:19.000Z)
Author name is missing or very short
Author "" appears to have only 1 package on PyPI (new or inactive account)