PkgRadar

PyPI · pypi.org

forge-manager-mcp

Py Runtime Dynamic Dangerous Import: Dynamic __import__('os') — reflection bypass for static checks.

Why PkgRadar flagged 4.3.0a3

SeveritySignalEvidence
highPy Runtime Dynamic Dangerous ImportDynamic __import__('os') — reflection bypass for static checks. · forge_manager_mcp-4.3.0a3/src/forge_manager_mcp/daemon/main.py

Scanned versions

VersionVerdictScoreScanned (UTC)
4.3.0a3High risk302026-06-13
4.3.0a2High risk302026-06-10
4.3.0a1High risk302026-06-08
4.2.0High risk302026-06-07
4.2.0a11High risk302026-06-07
4.2.0a10High risk302026-06-06
4.2.0a9High risk302026-06-05
4.2.0a8High risk302026-06-03
4.2.0a7High risk302026-06-03
4.2.0a6High risk302026-06-03
4.2.0a5High risk302026-06-01
4.2.0a4High risk302026-06-01
4.2.0a3High risk302026-06-01
4.2.0a2High risk302026-06-01
4.2.0a1High risk302026-05-31
4.1.0High risk302026-05-30
4.1.0a1High risk302026-05-30
4.0.0High risk302026-05-30
3.20.1High risk302026-05-30
3.20.0High risk302026-05-30
3.19.0High risk302026-05-30
3.19.0a9High risk302026-05-30
3.19.0a8High risk302026-05-30

Block this in CI

PkgRadar gates forge-manager-mcp (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi forge-manager-mcp==4.3.0a3
Start free — 25 scans / moView full evidence