Detect AI-hallucinated packages before you install them.
Project description
slopcheck
Detect AI-hallucinated packages before you install them.
When your AI coding assistant suggests flask-gpt-helper or easy-requests, those packages probably don't exist. But someone might register them as malware before you notice. That's slopsquatting.
slopcheck catches it first.
Install
pip install slopcheck
Usage
Scan your project
# Auto-detect dependency files in current directory
slopcheck .
# Scan a specific file
slopcheck requirements.txt
Check a single package
slopcheck flask-gpt-helper --pkg pypi
slopcheck react-ai-utils --pkg npm
slopcheck easy-http --pkg crates.io
slopcheck github.com/fake/module --pkg go
Output
[SLOP] flask-gpt-helper (pypi)
> Package 'flask-gpt-helper' does not exist on pypi. Your AI made it up.
> Name ends with '-helper' -- classic LLM naming pattern
[SLOP] reqeusts (pypi)
> Package 'reqeusts' does not exist on pypi. Your AI made it up.
? Did you mean: requests
[SUS] easy-requests (pypi)
> Name starts with 'easy-' -- classic LLM naming pattern. Package exists but the name screams 'LLM bait'.
[OK] requests (pypi)
JSON output (for CI)
slopcheck requirements.txt --json
What it detects
- Non-existent packages -- the #1 signal. If it's not on the registry, your AI made it up.
- Brand new packages -- created in the last 7 days? Probably registered to trap you.
- Low downloads -- under 100 downloads means nobody uses it.
- Hallucination patterns -- LLMs love naming packages
{popular-lib}-{ai|gpt|helper|utils}. We check for these patterns. - Typosquats -- Levenshtein distance check against popular packages with "did you mean?" suggestions.
- Missing repo links -- legitimate packages almost always link to source code.
Supported ecosystems
| Ecosystem | Dependency files | Registry |
|---|---|---|
| PyPI | requirements.txt, pyproject.toml |
pypi.org |
| npm | package.json |
npmjs.org |
| crates.io | Cargo.toml |
crates.io |
| Go | go.mod |
proxy.golang.org |
Exit codes
| Code | Meaning |
|---|---|
| 0 | Clean -- all packages check out |
| 1 | Suspicious -- some packages deserve a second look |
| 2 | Slop detected -- hallucinated or dangerously new packages found |
Options
slopcheck [target] [options]
target Directory, file, or package name (default: .)
--pkg ECOSYSTEM Check single package (pypi, npm, crates.io, go)
--workers N Parallel registry checks (default: 10)
--json JSON output for CI pipelines
License
MIT
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file slopcheck-0.1.0.tar.gz.
File metadata
- Download URL: slopcheck-0.1.0.tar.gz
- Upload date:
- Size: 12.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c6e11834426f2b4c81821503bbf21c6107f44e112b617fec33441ff1b9991d99
|
|
| MD5 |
8e59e0fd4ea383c05a0986de08bedf91
|
|
| BLAKE2b-256 |
7f866c0d3f7a7c3b00b0f366740879147afb9d0de4164e65f69555f3b80b7a87
|
File details
Details for the file slopcheck-0.1.0-py3-none-any.whl.
File metadata
- Download URL: slopcheck-0.1.0-py3-none-any.whl
- Upload date:
- Size: 13.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
53b45f748223882eefd76fff11d42bf8942f7de246919df882fe09bac7280efe
|
|
| MD5 |
48acf393df93d5c341c04d352f609faa
|
|
| BLAKE2b-256 |
bbe9a3d82aeef3b96b69de1f2d01dcb42f5847109e451e2829b2129c3e5baee6
|
