PkgRadar

PyPI · pypi.org

evo-hq-cli

Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution

Why PkgRadar flagged 0.6.0a1

SeveritySignalEvidence
highPython Bun Js ExecPython file references the Bun JavaScript runtime — cross-language execution · evo_hq_cli-0.6.0a1/src/evo/host_install/openclaw.py
highPython Bun Js ExecPython file references the Bun JavaScript runtime — cross-language execution · evo_hq_cli-0.6.0a1/src/evo/host_install/opencode.py
mediumPy Import Time Subprocesssubprocess call — process spawning. · evo_hq_cli-0.6.0a1/src/evo/host_install/__init__.py
highPy Runtime Dynamic Dangerous ImportDynamic __import__('sys') — reflection bypass for static checks. · evo_hq_cli-0.6.0a1/src/evo/host_install/codex.py
highPy Runtime Dynamic Dangerous ImportDynamic __import__('sys') — reflection bypass for static checks. · evo_hq_cli-0.6.0a1/src/evo/host_install/openclaw.py
mediumCredential file accessmatched "AWS_ACCESS_KEY" · evo_hq_cli-0.6.0a1/src/evo/dashboard.py

Scanned versions

VersionVerdictScoreScanned (UTC)
0.6.0a1High risk1472026-06-17
0.5.3High risk1472026-06-14
0.5.2High risk1472026-06-11
0.5.1High risk1472026-06-11
0.5.0High risk972026-06-06
0.5.0a13High risk972026-06-05
0.5.0a12High risk972026-06-05
0.5.0a11High risk972026-06-04
0.5.0a10High risk972026-06-04
0.5.0a9High risk972026-06-04
0.5.0a8High risk972026-06-04
0.4.5High risk972026-06-04
0.5.0a7High risk972026-06-02
0.5.0a6High risk972026-06-02
0.5.0a5High risk972026-06-01
0.5.0a4High risk972026-06-01
0.5.0a3High risk972026-06-01
0.4.4High risk972026-05-30
0.4.4a6High risk972026-05-30
0.4.4a5High risk972026-05-30
0.4.4a4High risk972026-05-30
0.4.4a3High risk972026-05-30
0.4.4a2High risk972026-05-30
0.4.4a1High risk972026-05-30

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates evo-hq-cli (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi evo-hq-cli==0.6.0a1
Start free — 25 scans / moView full evidence