PkgRadar

PyPI · pypi.org

skypilot-nightly

Py Install Time Subprocess: subprocess call — process spawning.

Why PkgRadar flagged 1.0.0.dev20260612

SeveritySignalEvidence
mediumPy Install Time Subprocesssubprocess call — process spawning. · skypilot_nightly-1.0.0.dev20260612/setup.py
mediumPy Install Time Subprocesssubprocess call — process spawning. · skypilot_nightly-1.0.0.dev20260612/sky/setup_files/setup.py
mediumPy Import Time Subprocesssubprocess call with shell=True — passes argv to /bin/sh. · skypilot_nightly-1.0.0.dev20260612/sky/skylet/ray_patches/__init__.py
mediumPy Import Time Subprocesssubprocess call — process spawning. · skypilot_nightly-1.0.0.dev20260612/sky/__init__.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · skypilot_nightly-1.0.0.dev20260612/sky/batch/utils.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · skypilot_nightly-1.0.0.dev20260612/sky/client/sdk.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · skypilot_nightly-1.0.0.dev20260612/sky/server/server.py
mediumRemote Payloadmatched "raw.githubusercontent.com" · skypilot_nightly-1.0.0.dev20260612/sky/utils/kubernetes/create_cluster.sh
mediumCredential file accessmatched ".aws/" · skypilot_nightly-1.0.0.dev20260612/sky/clouds/nebius.py
mediumCredential file accessmatched "AWS_ACCESS_KEY" · skypilot_nightly-1.0.0.dev20260612/sky/skylet/events.py

Scanned versions

VersionVerdictScoreScanned (UTC)
1.0.0.dev20260612High risk1462026-06-12
1.0.0.dev20260611High risk1462026-06-11
1.0.0.dev20260610High risk1462026-06-10
1.0.0.dev20260609High risk1462026-06-09
1.0.0.dev20260607High risk1462026-06-07
1.0.0.dev20260605High risk1462026-06-05
1.0.0.dev20260604High risk1462026-06-04
1.0.0.dev20260603High risk1462026-06-03
1.0.0.dev20260602High risk1462026-06-02
1.0.0.dev20260530High risk1462026-05-30
1.0.0.dev20260529High risk1462026-05-30
1.0.0.dev20260528High risk1462026-05-30
1.0.0.dev20260527High risk1462026-05-30

Block this in CI

PkgRadar gates skypilot-nightly (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi skypilot-nightly==1.0.0.dev20260612
Start free — 25 scans / moView full evidence