Skip to content
clusters: prooflayer · edgemarket · edgefinance · synthforge · mediakit · wordmint · webprobe · locale · comppoint · rollforge · bestiary · statline · matchpoint · retail · agentops · browserworkflow · modelrouter · compose
$ man pypi-package-risk

/pypi-package-risk

agentutility / prooflayer / pypi-package-risk
PRICE / CALL
$0.01
USDC · base mainnet · scheme: exact
METHOD
POST
CLUSTER
prooflayer
CATEGORY
ai
STATUS
live
NAME
pypi-package-risk scores the supply-chain risk of a pypi package before you install it
SYNOPSIS
POST https://x402.agentutility.ai/pypi-package-risk
     Content-Type: application/json
     X-PAYMENT:    <signed-transferWithAuthorization>

     { ... }
↳ first call → 402 Payment Required. Sign USDCtransferWithAuthorization, retry with theX-PAYMENT header.
DESCRIPTION

Scores the supply-chain risk of a PyPI package before you install it. Pulls metadata + release history from pypi.org for a package (and optional version), evaluating age, recent download volume, maintainer count, post-install hook presence, dependency depth, deprecation flags, last-update recency, and string-distance to popular packages (typosquat). Returns a numeric score (0-10), risk_level bucket, contributing factor list, and an AI-written plain-English risk summary from Venice. Use it as a Python supply-chain scanner, pip dependency vetter, typosquat detector, pre-install audit, Python-package safety check, pyproject.toml / requirements.txt vetter, or poetry + uv pre-install gate.

INPUTrequest schema
propertytypedescriptionreq?
package_namestringPyPI package distribution name (e.g. 'requests', 'django'). Case-insensitive; resolved via pypi.org/pypi/{name}/json.required
versionstringOptional specific version (e.g. '2.31.0'). Default: latest stable release.optional
OUTPUTresponse shape
fieldtypedescription
package_namestringPyPI package name that was scanned.
versionstringPackage version evaluated for the risk score, usually the latest release on PyPI.
scorenumberOverall risk score from 0 (safe) to 100 (high risk) combining all supply-chain signals.
risk_levelstringCategorical risk bucket like low, medium, high, or critical derived from the score.
summarystringLLM-written plain-English risk summary covering the main red flags found in the package.
signalsobjectPer-check signals: age, monthly downloads, install-script hooks, dep depth, deprecation, typosquat distance.
metadataobjectPyPI metadata snapshot: author, upload date, homepage, license, project URLs, and release count.
EXAMPLEStwo ways to call
EXAMPLE 1 · curl
curl -X POST https://x402.agentutility.ai/pypi-package-risk \
  -H 'Content-Type: application/json' \
  -d '{ }'
first response = 402 Payment Required with payment requirements; sign + retry with X-PAYMENT.
EXAMPLE 2 · mcp
# Install the MCP package for this endpoint's cluster
npx -y @agentutility/mcp-<cluster>

# Required: EVM private key with USDC on Base
export X402_PRIVATE_KEY=0x...

# Then call the pypi-package-risk tool from your MCP-aware agent.
MCP server handles payment automatically — your coding agent just calls the tool by name.
METADATA
tags
pypipythonsupply-chainsecurityrisk
env
VENICE_API_KEY
methods
POST
cluster
prooflayer
price
$0.01 USDC per call
ADJACENTother endpoints in prooflayer
endpointdescriptionprice
cveLooks up a CVE and returns the full NIST NVD vulnerability record.$0.005
cve-lookupLooks up a CVE and returns its canonical NIST NVD record: description, CVSS v3.1 and v2 vectors plus numeric scores, severity bucket, CWE…$0.005
app-store-rejection-explainExplains App Store and Google Play rejections and turns them into a resubmission plan.$0.02
db-migration-riskAudits database migrations for risky SQL before deploy.$0.02
deploy-config-riskAudits deploy configuration files for production risks.$0.02
secrets-exposure-checkScans project config files for hardcoded secrets before you deploy.$0.02
ai-content-detectorDetect AI-generated writing with a calibrated probability score.$0.03
dep-risk-summaryScores dependency risk for a whole repo from its manifests and lockfiles.$0.03
SEE ALSO
agentutility · prooflayer · x402 · mcp · llms.txt · registry.json · bazaar.x402.org