scanning pypi frictionless package with guarddog produces "potentially malicious indicators" error

[samqi]

Overview

After installing datadog's guarddog to scan pypi packages, guarddog finds 1 "potentially malicious indicators".

FYI, "GuardDog is a CLI tool to Identify malicious PyPI and npm packages" or

GuardDog is a CLI tool that allows to identify malicious PyPI and npm packages. It runs a set of heuristics on the package source code (through Semgrep rules) and on the package metadata.

GuardDog can be used to scan local or remote PyPI and npm packages using any of the available heuristics.

To reproduce the error message :

1. In CLI or Jupyter notebook (With !)

pip install guarddog
guarddog pypi scan frictionless

2. Running the above command, you will encounter an error:

Found 1 potentially malicious indicators in frictionless

exec-base64: found 1 source code matches
  * This package contains a call to the `eval` function with a `base64` encoded string as argument.
This is a common method used to hide a malicious payload in a module as static analysis will not decode the
string.
 at frictionless-5.16.1/frictionless/console/commands/explore.py:62
        os.system(f"vd {' '.join(paths)}")