Metadata-Version: 2.4
Name: a_package_that_demo_pypi_vulnerability
Version: 0.1.0
Summary: An educational package demonstrating that pip packages can freely access your filesystem. Think before you install.
Author: mike
License-Expression: MIT
License-File: LICENSE
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Education
Classifier: Topic :: Security
Requires-Python: >=3.8
Description-Content-Type: text/markdown

# a_package_that_demo_pypi_vulnerability

An educational package that demonstrates a fundamental security concern with the Python packaging ecosystem: **any package you `pip install` can freely access your entire filesystem**.

## What does it do?

When you call the `demonstrate_vulnerability()` function, it:

1. Walks your entire home directory
2. Lists every file it finds along with its size
3. Prints a warning explaining what just happened

**Nothing is exfiltrated, uploaded, or sent anywhere.** All output goes to your terminal. The point is to show you what a malicious package *could* do silently.

## Why does this exist?

When you run `pip install some-package`, that package's code runs with your full user permissions. There is no sandbox, no permission prompt, and no filesystem restriction. A malicious package could:

- Read your SSH keys, cloud credentials, and browser cookies
- Scan your source code and configuration files
- Send all of this to a remote server — silently, at install time

This package makes that risk tangible by showing you exactly how much of your filesystem is accessible to any installed Python code.

## Installation

```bash
pip install a_package_that_demo_pypi_vulnerability
```

## Usage

```python
from a_package_that_demo_pypi_vulnerability import demonstrate_vulnerability

demonstrate_vulnerability()
```

## Disclaimer

This package is **for educational purposes only**. It does not collect, transmit, or store any data. No code runs at install time — the demonstration only executes when you explicitly call the function. Use it to learn about supply-chain security risks and to make informed decisions about the packages you install.

## License

MIT
