PyPI · pypi.org

anvil-app-server

Py Import Time Os System: Direct shell invocation via os.system / os.popen / os.exec*.

Why PkgRadar flagged 1.16.0

Severity	Signal	Evidence
high	Py Import Time Os System	Direct shell invocation via os.system / os.popen / os.exec*. · anvil_app_server-1.16.0/anvil_app_server/__init__.py
medium	Py Import Time Subprocess	subprocess call — process spawning. · anvil_app_server-1.16.0/anvil_app_server/__init__.py
high	Py Runtime Base64 Decode	base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · anvil_app_server-1.16.0/anvil_downlink_host/pdf_renderer.py

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`1.16.0`	High risk	56	2026-06-09

Block this in CI

PkgRadar gates anvil-app-server (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi anvil-app-server==1.16.0