$ man pypi-package-risk
/pypi-package-risk
PRICE / CALL
$0.01
USDC · base mainnet · scheme: exact
METHOD
POST
CLUSTER
prooflayerCATEGORY
ai
STATUS
● live
NAME
pypi-package-risk — scores the supply-chain risk of a pypi package before you install it
SYNOPSIS
POST https://x402.agentutility.ai/pypi-package-risk
Content-Type: application/json
X-PAYMENT: <signed-transferWithAuthorization>
{ ... }↳ first call →
402 Payment Required. Sign USDCtransferWithAuthorization, retry with theX-PAYMENT header.DESCRIPTION
Scores the supply-chain risk of a PyPI package before you install it. Pulls metadata + release history from pypi.org for a package (and optional version), evaluating age, recent download volume, maintainer count, post-install hook presence, dependency depth, deprecation flags, last-update recency, and string-distance to popular packages (typosquat). Returns a numeric score (0-10), risk_level bucket, contributing factor list, and an AI-written plain-English risk summary from Venice. Use it as a Python supply-chain scanner, pip dependency vetter, typosquat detector, pre-install audit, Python-package safety check, pyproject.toml / requirements.txt vetter, or poetry + uv pre-install gate.
INPUT — request schema
| property | type | description | req? |
|---|---|---|---|
| package_name | string | PyPI package distribution name (e.g. 'requests', 'django'). Case-insensitive; resolved via pypi.org/pypi/{name}/json. | required |
| version | string | Optional specific version (e.g. '2.31.0'). Default: latest stable release. | optional |
OUTPUT — response shape
| field | type | description |
|---|---|---|
| package_name | string | PyPI package name that was scanned. |
| version | string | Package version evaluated for the risk score, usually the latest release on PyPI. |
| score | number | Overall risk score from 0 (safe) to 100 (high risk) combining all supply-chain signals. |
| risk_level | string | Categorical risk bucket like low, medium, high, or critical derived from the score. |
| summary | string | LLM-written plain-English risk summary covering the main red flags found in the package. |
| signals | object | Per-check signals: age, monthly downloads, install-script hooks, dep depth, deprecation, typosquat distance. |
| metadata | object | PyPI metadata snapshot: author, upload date, homepage, license, project URLs, and release count. |
EXAMPLES — two ways to call
EXAMPLE 1 · curl
curl -X POST https://x402.agentutility.ai/pypi-package-risk \
-H 'Content-Type: application/json' \
-d '{ }'first response =
402 Payment Required with payment requirements; sign + retry with X-PAYMENT.EXAMPLE 2 · mcp
# Install the MCP package for this endpoint's cluster npx -y @agentutility/mcp-<cluster> # Required: EVM private key with USDC on Base export X402_PRIVATE_KEY=0x... # Then call the pypi-package-risk tool from your MCP-aware agent.
MCP server handles payment automatically — your coding agent just calls the tool by name.
METADATA
- tags
- pypipythonsupply-chainsecurityrisk
- env
- VENICE_API_KEY
- methods
- POST
- cluster
- prooflayer
- price
- $0.01 USDC per call
ADJACENT — other endpoints in prooflayer
| endpoint | description | price |
|---|---|---|
| cve | Looks up a CVE and returns the full NIST NVD vulnerability record. | $0.005 |
| cve-lookup | Looks up a CVE and returns its canonical NIST NVD record: description, CVSS v3.1 and v2 vectors plus numeric scores, severity bucket, CWE… | $0.005 |
| app-store-rejection-explain | Explains App Store and Google Play rejections and turns them into a resubmission plan. | $0.02 |
| db-migration-risk | Audits database migrations for risky SQL before deploy. | $0.02 |
| deploy-config-risk | Audits deploy configuration files for production risks. | $0.02 |
| secrets-exposure-check | Scans project config files for hardcoded secrets before you deploy. | $0.02 |
| ai-content-detector | Detect AI-generated writing with a calibrated probability score. | $0.03 |
| dep-risk-summary | Scores dependency risk for a whole repo from its manifests and lockfiles. | $0.03 |
SEE ALSO