PyPI · pypi.org
tm-ai
Py Install Time Subprocess: subprocess call — process spawning.
Why PkgRadar flagged 2.91.15
| Severity | Signal | Evidence |
|---|---|---|
| medium | Py Install Time Subprocess | subprocess call — process spawning. · tm_ai-2.91.15/cvc/agent/_vendor/hermes/hermes_cli/setup.py |
| medium | Py Install Time Subprocess | subprocess call — process spawning. · tm_ai-2.91.15/cvc/bundled_skills/productivity/google-workspace/scripts/setup.py |
| high | Py Install Time Network Call | Network call (urllib/requests/httpx/http.client) at install or import time. · tm_ai-2.91.15/cvc/bundled_skills/productivity/google-workspace/scripts/setup.py |
| high | Py Runtime Base64 Decode | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · tm_ai-2.91.15/cvc/agent/_vendor/hermes/hermes_cli/clipboard.py |
| high | Py Runtime Base64 Decode | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · tm_ai-2.91.15/cvc/agent/_vendor/hermes/tools/tts_tool.py |
| high | Py Runtime Base64 Decode | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · tm_ai-2.91.15/cvc/bundled_skills/productivity/google-workspace/scripts/google_api.py |
| medium | Remote Payload | matched "curl " · tm_ai-2.91.15/cvc/agent/_vendor/hermes/hermes_cli/memory_setup.py |
| medium | Remote Payload | matched "github.com/KittenML/KittenTTS/releases/download" · tm_ai-2.91.15/cvc/agent/_vendor/hermes/hermes_cli/setup.py |
| medium | Credential file access | matched "AWS_ACCESS_KEY" · tm_ai-2.91.15/cvc/agent/_vendor/hermes/hermes_cli/model_switch.py |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
2.91.15 | High risk | 215 | 2026-06-05 |
Block this in CI
pkgradar gate --ecosystem pypi tm-ai==2.91.15