PyPI · pypi.org

qualix

Py Install Time Subprocess: subprocess call — process spawning.

Why PkgRadar flagged 0.2.0a1

Severity	Signal	Evidence
medium	Py Install Time Subprocess	subprocess call — process spawning. · qualix-0.2.0a1/src/qualix/commands/setup.py
high	Py Runtime Base64 Decode	base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · qualix-0.2.0a1/scripts/feishu_browser_images.py
high	Py Runtime Dynamic Dangerous Import	Dynamic __import__('sys') — reflection bypass for static checks. · qualix-0.2.0a1/src/qualix/tracking/experiment.py

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.2.0a1`	High risk	115	2026-06-01

Block this in CI

PkgRadar gates qualix (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi qualix==0.2.0a1