PkgRadar

PyPI · pypi.org

behemot-framework

Webhook Exfil Endpoint: matched "api.telegram.org/bot"

Why PkgRadar flagged 0.5.5

SeveritySignalEvidence
highWebhook Exfil Endpointmatched "api.telegram.org/bot" · behemot_framework-0.5.5/behemot_framework/startup.py
highWebhook Exfil Endpointmatched "api.telegram.org/bot" · behemot_framework-0.5.5/behemot_framework/startup_backup.py
mediumCredential file accessmatched "aws_access_key" · behemot_framework-0.5.5/behemot_framework/rag/document_loader.py
mediumCredential file accessmatched "GOOGLE_APPLICATION_CREDENTIALS" · behemot_framework-0.5.5/behemot_framework/startup.py
mediumCredential file accessmatched "GOOGLE_APPLICATION_CREDENTIALS" · behemot_framework-0.5.5/behemot_framework/startup_backup.py

Scanned versions

VersionVerdictScoreScanned (UTC)
0.5.5High risk852026-06-06
0.5.4High risk852026-06-06
0.5.3High risk852026-06-06

Block this in CI

PkgRadar gates behemot-framework (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi behemot-framework==0.5.5
Start free — 25 scans / moView full evidence