Is requests safe?
- Python network egress
- Python filesystem write/delete
requests is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 2 risky constructs are reported for review. It can: filesystem write and network egress — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).
requests 2.34.2
Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of requests's authors. Report a false positive.
Findings (2)
The component writes or deletes files on disk.
os.remove(tmp_name)
Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.
Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.
The component makes outbound network requests.
import urllib3
urllib3_version_list = urllib3_version.split(".")[:3]urllib3_version_list.append("0")from urllib3.contrib import pyopenssl
pyopenssl.inject_into_urllib3()
from urllib3.exceptions import DependencyWarning
from urllib3.exceptions import (
ClosedPoolError,
ConnectTimeoutError,
LocationValueError,
MaxRetryError,
NewConnectionError,
ProtocolError,
ReadTimeoutError,
ResponseError,
)from urllib3.exceptions import HTTPError as _HTTPError
from urllib3.exceptions import InvalidHeader as _InvalidHeader
from urllib3.exceptions import ProxyError as _ProxyError
from urllib3.exceptions import SSLError as _SSLError
from urllib3.poolmanager import PoolManager, proxy_from_url
from urllib3.util import Timeout as TimeoutSauce
from urllib3.util import parse_url
from urllib3.util.retry import Retry
from urllib3.contrib.socks import SOCKSProxyManager # type: ignore[assignment]
from urllib3.connectionpool import HTTPConnectionPool
from urllib3.poolmanager import PoolManager as _PoolManager
self.max_retries = Retry(0, read=False)
self.max_retries = Retry.from_int(max_retries)
self.poolmanager = PoolManager(
num_pools=connections,
maxsize=maxsize,
block=block,
**pool_kwargs,
)manager = self.proxy_manager[proxy] = SOCKSProxyManager(
proxy,
username=username,
password=password,
num_pools=self._pool_connections,
maxsize=self._pool_maxsi …manager = self.proxy_manager[proxy] = proxy_from_url(
proxy,
proxy_headers=proxy_headers,
num_pools=self._pool_connections,
maxsize=self._pool_maxsize,
block=se …proxy_url = parse_url(proxy)
proxy_url = parse_url(proxy)
Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.
Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →