PyPI · pypi.org
skypilot
Py Install Time Subprocess: subprocess call — process spawning.
Why PkgRadar flagged 0.12.3.post1
| Severity | Signal | Evidence |
|---|---|---|
| medium | Py Install Time Subprocess | subprocess call — process spawning. · skypilot-0.12.3.post1/setup.py |
| medium | Py Install Time Subprocess | subprocess call — process spawning. · skypilot-0.12.3.post1/sky/setup_files/setup.py |
| medium | Py Import Time Subprocess | subprocess call with shell=True — passes argv to /bin/sh. · skypilot-0.12.3.post1/sky/skylet/ray_patches/__init__.py |
| medium | Py Import Time Subprocess | subprocess call — process spawning. · skypilot-0.12.3.post1/sky/__init__.py |
| high | Py Runtime Base64 Decode | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · skypilot-0.12.3.post1/sky/batch/utils.py |
| high | Py Runtime Base64 Decode | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · skypilot-0.12.3.post1/sky/client/sdk.py |
| high | Py Runtime Base64 Decode | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · skypilot-0.12.3.post1/sky/server/server.py |
| medium | Remote Payload | matched "raw.githubusercontent.com" · skypilot-0.12.3.post1/sky/utils/kubernetes/create_cluster.sh |
| medium | Credential file access | matched ".aws/" · skypilot-0.12.3.post1/sky/clouds/nebius.py |
| medium | Credential file access | matched "AWS_ACCESS_KEY" · skypilot-0.12.3.post1/sky/skylet/events.py |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
0.12.3.post1 | High risk | 146 | 2026-05-30 |
Block this in CI
pkgradar gate --ecosystem pypi skypilot==0.12.3.post1