Slop and typosquat detection for PyPI packages
Project description
slopspotter
Detects AI-hallucinated Python packages before they get installed.
Checks a package against a curated hallucinated packages database and verifies its existence on PyPI in real time, returning a risk assessment with a clear install recommendation.
Installs two tools:
slopspotter— CLI for manual package checksslopspotter-mcp— stdio MCP server for AI coding agents
Installation
pip install slopspotter
Usage
slopspotter requests
{
"package": "requests",
"exists": true,
"pypi_unavailable": false,
"in_slop_db": false,
"risk_level": "low",
"safe_to_install": true,
"recommendation": "PROCEED: 'requests' appears safe to install."
}
Example high risk output:
{
"package": "cohere-ai-sdk",
"exists": false,
"pypi_unavailable": false,
"in_slop_db": true,
"risk_level": "high",
"safe_to_install": false,
"recommendation": "BLOCK: 'cohere-ai-sdk' does not exist on PyPI and is flagged as a hallucinated package."
}
Exit codes: 0 = low risk, 1 = medium, 2 = high, 3 = critical.
Risk Levels
| Level | Meaning |
|---|---|
low |
Exists on PyPI, not flagged |
medium |
Flagged with low historical risk |
high |
Not on PyPI (hallucinated), flagged, or PyPI unreachable |
critical |
Flagged and actively installable on PyPI |
How It Works
Each package is checked against a curated database of known AI-hallucinated packages and verified against PyPI in real time. The database is maintained by the project author.
MCP Server
slopspotter ships with a stdio MCP server for use with AI coding agents (Claude Code, Cursor, etc.). Once connected, the agent will automatically call assess_package before any install and block unsafe packages.
Claude Code
claude mcp add slopspotter uvx --from slopspotter slopspotter-mcp
Or add manually to your project's .mcp.json:
{
"mcpServers": {
"slopspotter": {
"type": "stdio",
"command": "uvx",
"args": ["--from", "slopspotter", "slopspotter-mcp"]
}
}
}
If you already have slopspotter installed via pip:
{
"mcpServers": {
"slopspotter": {
"type": "stdio",
"command": "slopspotter-mcp"
}
}
}
Other agents (Cursor, Windsurf, etc.)
Use the same JSON config — most agents support the mcpServers format.
Usage
Once connected, your agent will automatically assess packages before installing. You can also ask directly:
"Is
requestssafe to install?"
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file slopspotter-0.1.0.tar.gz.
File metadata
- Download URL: slopspotter-0.1.0.tar.gz
- Upload date:
- Size: 23.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6e617e5f21c7083b7483d6cbcaf6f30026b2ceba29f7151b60bb1e329e92cb63
|
|
| MD5 |
3cf53e1471133d101982de7bdcf822ce
|
|
| BLAKE2b-256 |
c936f2dc084d88d1630592bf8682740718c19ace022001630d67e64621c50dcd
|
File details
Details for the file slopspotter-0.1.0-py3-none-macosx_11_0_arm64.whl.
File metadata
- Download URL: slopspotter-0.1.0-py3-none-macosx_11_0_arm64.whl
- Upload date:
- Size: 5.8 MB
- Tags: Python 3, macOS 11.0+ ARM64
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
716afe8efd27ee6fadebc0bb859455f932426693e24ffa986077a8ebed20302b
|
|
| MD5 |
cf2e7f5a3362ac922c70878acfcc1b82
|
|
| BLAKE2b-256 |
038d7a1b43c73edcb647d675a82d2d681ae96b72c70a57f10a544e890de12823
|
