PkgRadar

PyPI · pypi.org

eximia-agent

Py Install Time Subprocess: subprocess call — process spawning.

Why PkgRadar flagged 0.13.17

SeveritySignalEvidence
mediumPy Install Time Subprocesssubprocess call — process spawning. · eximia_agent-0.13.17/eximia_cli/setup.py
mediumPy Install Time Subprocesssubprocess call — process spawning. · eximia_agent-0.13.17/skills/productivity/google-workspace/scripts/setup.py
highPython Bun Js ExecPython file references the Bun JavaScript runtime — cross-language execution · eximia_agent-0.13.17/agent/lsp/servers.py
highPython Bun Js ExecPython file references the Bun JavaScript runtime — cross-language execution · eximia_agent-0.13.17/tools/terminal_tool.py
highPy Install Time Network CallNetwork call (urllib/requests/httpx/http.client) at install or import time. · eximia_agent-0.13.17/skills/productivity/google-workspace/scripts/setup.py
mediumPy Import Time Subprocesssubprocess call — process spawning. · eximia_agent-0.13.17/plugins/memory/byterover/__init__.py
mediumPy Import Time Subprocesssubprocess call — process spawning. · eximia_agent-0.13.17/plugins/memory/hindsight/__init__.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · eximia_agent-0.13.17/eximia_cli/clipboard.py
highCredential file accessmatched ".npmrc" · eximia_agent-0.13.17/eximia_cli/security_advisories.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · eximia_agent-0.13.17/skills/productivity/google-workspace/scripts/google_api.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · eximia_agent-0.13.17/tools/tts_tool.py
highPy Import Time Network CallNetwork call (urllib/requests/httpx/http.client) at install or import time. · eximia_agent-0.13.17/plugins/image_gen/xai/__init__.py

Scanned versions

VersionVerdictScoreScanned (UTC)
0.13.17High risk3842026-06-09
0.13.16High risk3342026-06-09
0.13.15High risk3342026-06-04
0.13.11High risk3342026-06-03
0.13.10High risk3342026-06-02

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates eximia-agent (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi eximia-agent==0.13.17
Start free — 25 scans / moView full evidence