PkgRadar

PyPI · pypi.org

workweaver

Py Runtime Dynamic Dangerous Import: Dynamic __import__('os') — reflection bypass for static checks.

Why PkgRadar flagged 0.1.12

SeveritySignalEvidence
highPy Runtime Dynamic Dangerous ImportDynamic __import__('os') — reflection bypass for static checks. · workweaver-0.1.12/apps/backend/managed_lambda_handler.py
highCredential file accessmatched "aws_secret_access_key" · workweaver-0.1.12/apps/backend/services/inference/sync_bridge.py
mediumCredential file accessmatched "AWS_ACCESS_KEY" · workweaver-0.1.12/apps/backend/providers/secret_provider.py
mediumCredential file accessmatched "aws_access_key" · workweaver-0.1.12/apps/backend/services/inference/bedrock_client.py
mediumCredential file accessmatched "AWS_ACCESS_KEY" · workweaver-0.1.12/apps/backend/voice_services/xai_relay_service.py

Scanned versions

VersionVerdictScoreScanned (UTC)
0.1.12High risk1302026-06-02

Block this in CI

PkgRadar gates workweaver (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi workweaver==0.1.12
Start free — 25 scans / moView full evidence