supply chain / google-generativeai

Google Generative AI SDK

registryPyPI

package namegoogle-generativeai

maintainerGoogle

The Google Generative AI Python SDK provides access to the Gemini model family (Gemini 1.5 Pro, Gemini 2.0, and later) through the Google AI Gemini API. It supports multimodal inputs, function calling, and streaming generation. Applications authenticate with a Google API key stored as an environment variable.

api usage

Checking Google Generative AI SDK

google-generativeai 0.7.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=google-generativeai&version=0.7.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "google-generativeai",
  "version": "0.7.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

SDK-level compromise gives an attacker access to the Google API key, which may also grant access to other Google Cloud services depending on how the key is scoped, extending the blast radius beyond the AI API alone.

Attestd monitors google-generativeai using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages OpenAI SDK (Python)Anthropic SDK (Python)LangChain Response fields