opendatahub-io/python-packaging-complexity
helpers/skills/python-packaging-complexity/SKILL.md
Use this skill to analyze Python package build complexity by inspecting PyPI metadata. Evaluates compilation requirements, dependencies, distribution types, and provides recommendations for wheel building strategies.
$ install --global
skillsauthnpx skillsauth add opendatahub-io/ai-helpers python-packaging-complexityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 2, 2026, 6:17 AM131.6s2 files scanned
SKILL.md
- name:
- python-packaging-complexity
- description:
- Use this skill to analyze Python package build complexity by inspecting PyPI metadata. Evaluates compilation requirements, dependencies, distribution types, and provides recommendations for wheel building strategies.
- allowed-tools:
- Bash Read
Python Package Build Complexity Analysis
This skill helps you evaluate the build complexity of Python packages by analyzing their PyPI metadata. It determines whether a package likely requires compilation, assesses build complexity, and provides recommendations for wheel building strategies.
Instructions
When a user asks about Python package build complexity, building wheels, or evaluating PyPI packages for compilation requirements:
-
Run the PyPI inspection script using the package name and optional version:
./scripts/pypi_inspect.py <package_name> [version] -
Analyze the output and provide interpretation focusing on:
Build Complexity Assessment
- Compilation Requirements: Whether the package needs C/C++/Rust/Fortran compilation
- Complexity Score: Numerical score indicating build difficulty (0-10+ scale)
- Key Indicators: Specific classifiers, keywords, or dependencies that suggest complexity
Distribution Analysis
- Source Distribution Availability: Whether sdist is available for building
- Existing Wheels: What wheel types already exist (platform-specific, universal)
- Wheel Coverage: Gaps in wheel availability that might need custom builds
Dependency Analysis
- Complex Dependencies: Dependencies that themselves require compilation
- Version Constraints: Python version requirements and compatibility
- Transitive Complexity: How dependencies affect overall build complexity
-
Provide actionable recommendations:
- Whether to build from source or use existing wheels
- Required build tools and dependencies
- Platform-specific considerations
- Estimated build time and resource requirements
Key Complexity Indicators
High Complexity (Score 5+)
- Native extensions (C/C++/Rust/Fortran classifiers)
- CUDA/GPU acceleration keywords
- Known complex packages (torch, tensorflow, numpy, scipy)
- Missing or limited wheel availability
- Many compiled dependencies
Medium Complexity (Score 2-4)
- Some compilation indicators in description/keywords
- Platform-specific wheels only
- Mixed dependency complexity
- Moderate build requirements
Low Complexity (Score 0-1)
- Pure Python packages
- Universal wheels available
- Simple dependencies
- No compilation requirements
Usage Examples
Basic Package Analysis
./scripts/pypi_inspect.py torch
Interpretation: Analyze latest PyTorch version for build complexity, focusing on CUDA dependencies and compilation requirements.
Specific Version Analysis
./scripts/pypi_inspect.py numpy 1.24.3
Interpretation: Evaluate specific numpy version, explaining why numpy requires compilation and what build tools are needed.
JSON Output for Processing
./scripts/pypi_inspect.py tensorflow --json
Interpretation: Get structured data for programmatic analysis, then explain the complexity factors in plain language.
Providing Recommendations
Based on the analysis, provide specific guidance:
For High Complexity Packages
- "This package requires significant compilation infrastructure"
- "Building from source with customizations is recommended"
- "Building from source will need: [specific tools]"
- "Use pre-built wheels only when: source unavailable (proprietary) AND wheels exist on PyPI"
For Wheel Building Strategies
- "Always build from source with customizations for maximum control"
- "Platform-specific wheels needed for: [platforms]"
- "Use pre-built wheels only when: source unavailable (proprietary) AND wheels exist on PyPI"
- "Dependencies that complicate building: [list]"
For Development Planning
- "Budget [time] for build environment setup"
- "Consider containerized builds for reproducibility"
- "Test on target platforms before production deployment"
- "Monitor for new wheel releases that might eliminate build needs"
Error Handling
If the script fails or package is not found:
- Verify package name spelling and availability on PyPI
- Check if the package exists under a different name
- Suggest alternative analysis approaches
- Provide general guidance for unknown packages
Integration Notes
This skill works best when combined with:
- python-packaging-license-finder - License information helps assess redistribution requirements
- Package dependency analysis
- Build environment setup
- Continuous integration planning
- Container build strategies
Related Skills
opendatahub-io/python-packaging-static-audit
development
VerifiedTrustedCommunity
Run hexora static analysis on a Python package repository to detect suspicious code patterns, then triage findings with deterministic rules and AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/python-packaging-git-audit
development
VerifiedTrustedCommunity
Inspect recent git history of a Python package repository for suspicious commits touching supply-chain-sensitive files, then triage findings with AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/python-packaging-binary-audit
development
VerifiedTrustedCommunity
Scan a Python package repository for compiled/binary files using Fromager-style detection and malcontent YARA analysis, then triage findings with deterministic rules and AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/non-redhat-rpms
testing
VerifiedTrustedCommunity
Use this skill to identify non-Red Hat RPM packages installed in container images or on the local machine. For containers, pulls images across multiple architectures and release tags; for local scans, inspects the host directly. Extracts RPM signing metadata and reports packages not signed with the Red Hat GPG key as CSV output. Use when auditing compliance, checking supply-chain provenance, or scanning for third-party RPMs in RHOAI component images.
30SKILL.mdUpdated May 29, 2026