SkillTotal
← Back to home

Scan PyPI packages before you install

A typosquatted PyPI package can run code at install or import time. Type pypi:<package> and see setup hooks, import-time payloads, and exfiltration — with evidence — before you pip install.

Scan a component — free →

What it looks for in PyPI packages

  • Install/import-time execution: code in setup.py or a package __init__.py that runs on install or first import.
  • Obfuscated droppers: base64/hex decode-and-execute and dynamic exec/eval that download and run a second stage.
  • Credential theft: reading ~/.ssh, cloud credential files, or env secrets and sending them off-host.

Built for the AI ecosystem

SkillTotal focuses on the packages AI tools pull in. Detection is deterministic (regex + AST), the package is analyzed statically (never executed, never sent to an LLM), and findings are separated into malicious indicators vs powerful capabilities so legitimate libraries are not mislabeled.

FAQ

Can I pin a version?
Yes — use pypi:<package>==<version>. Without a version the latest release is analyzed.
Does it catch typosquats?
It analyzes whatever package you name; a typosquat's malicious behavior (install hooks, droppers, exfiltration) is exactly what the rules detect, with evidence.
What about unsafe deserialization?
Unsafe pickle/marshal-style deserialization is detected as a risky construct and contributes to the risk score.