PkgRadar

PyPI · pypi.org

torchani

Py Install Time Subprocess: subprocess call with shell=True — passes argv to /bin/sh.

Why PkgRadar flagged 2.8.2

SeveritySignalEvidence
mediumPy Install Time Subprocesssubprocess call with shell=True — passes argv to /bin/sh. · torchani-2.8.2/setup.py
mediumRemote Payloadmatched "wget " · torchani-2.8.2/download-dev-data.sh

Scanned versions

VersionVerdictScoreScanned (UTC)
2.8.2Review312026-05-28
2.8.1Review312026-05-28

Block this in CI

PkgRadar gates torchani (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi torchani==2.8.2
Start free — 25 scans / moView full evidence