Pinecone Client

registryPyPI

package namepinecone

maintainerPinecone

The Pinecone Python client provides access to Pinecone's managed vector database service, used for semantic search, retrieval-augmented generation, and recommendation systems. It authenticates via a Pinecone API key and is the primary interface for inserting and querying embeddings. RAG pipelines that use Pinecone pass query embeddings and receive the most relevant document chunks in response.

api usage

Checking Pinecone Client

pinecone 5.0.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=pinecone&version=5.0.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "pinecone",
  "version": "5.0.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Vector database clients in RAG pipelines receive the retrieved context that is injected into model prompts. A backdoored client can replace retrieved chunks with attacker-controlled content, enabling indirect prompt injection at the retrieval layer.

Attestd monitors pinecone using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages LangChain OpenAI SDK (Python)Qdrant Client ChromaDB Response fields