Free, open-source defense against AI-hallucinated package names.
100% MIT-licensed. Free forever. No paid tier. No SaaS. No telemetry.
SlopGuard is a complete open-source stack for catching slopsquatted package names — names LLMs hallucinate that attackers register with malware. Every piece is free to use, fork, and self-host:
| Component | What it is | Where it runs |
|---|---|---|
apps/cli/ |
The slopguard CLI (on PyPI) |
Your laptop / CI |
apps/mcp/ |
MCP server for Claude Code, Cursor, Continue, Cody | Local stdio, pip install |
apps/api/ |
FastAPI multi-tenant backend | Docker compose / Fly.io |
apps/web/ |
Next.js dashboard | Vercel / your own host |
apps/probe/ |
LLM probing harness | GitHub Actions cron |
corpus/ |
Open prompt corpus | This repo |
reports/ |
Quarterly Index PDFs | This repo |
pip install slopguard-cli
slopguard scan # scan current directory, no auth required
slopguard update # refresh DB from GitHub Pagespip install slopguard-mcp
# then add to your MCP config:
# "slopguard": { "command": "slopguard-mcp" }Your AI coding agent now calls slopguard_check_package before
suggesting any npm install / pip install.
slopguard pre-commit install # writes .git/hooks/pre-commit
# now `git commit` is blocked if you staged a HALLUCINATED dependencygit clone https://github.com/hariomunknownslab/slopguard
cd slopguard
cp .env.example .env # fill in your own Clerk keys (free tier)
docker compose up -d # postgres + redis + api + web
open http://localhost:3000 # sign in, mint a token, scan from CLIslopguard login --api-url http://localhost:8000 # paste the token
slopguard scan . --upload # syncs to your dashboard daily 03:17 UTC
│
▼
┌────────────────────────────────────┐
│ .github/workflows/probe-cron.yml │ reads corpus/ (MIT, public)
│ python -m slopguard_probe run + │ calls each enabled LLM
│ aggregate │ parses imports, checks npm + PyPI
└────────────────┬───────────────────┘
│ writes
▼
┌────────────────────────────────────┐
│ probe-data/observations/*.jsonl │ raw LLM observations
│ probe-data/candidates.json │ aggregated, pending PR review
└────────────────┬───────────────────┘
│ opens PR
▼
┌────────────────────────────────────┐
│ Human review — flip status: │ you're invited
│ pending → approved or rejected │
└────────────────┬───────────────────┘
│ merge to main
▼
┌────────────────────────────────────┐
│ .github/workflows/publish-db.yml │
│ filters approved rows → publishes │
│ to gh-pages branch │
└────────────────┬───────────────────┘
│
▼
┌────────────────────────────────────┐
│ https://hariomunknownslab.github.io│
│ /slopguard/db.json │
└────────────────┬───────────────────┘
│ slopguard update / MCP server / /p/<name> page
▼
end users
Git history is the audit log. Methodology is auditable
(docs/methodology.md). The corpus is forkable
(corpus/). The probe is reproducible
(apps/probe/). The dashboard is self-hostable
(docker-compose.yml).
- Add a prompt category. 15 intents from the spec target are still
missing — see
corpus/README.md. - Review a candidate. The probe cron opens a PR named
probe: pending candidates …. Flipstatus: pending→approvedorrejectedand merge. - Contribute a finding. Open an issue with the prompt + model + package name.
- Build something on top. The MCP server, the CLI, the API, the dashboard — all MIT. Fork freely.
- The CLI never makes outbound calls except to the public npm + PyPI
registries (during scoring) and to GitHub Pages (during
slopguard update). Both are overridable via env vars. - The MCP server runs locally on stdio and only fetches the public GitHub Pages DB.
- The dashboard, when self-hosted, never phones SlopGuard — it talks only to the Postgres + Redis you brought.
- The hallucination DB is a static JSON file in a public git repo — inspect it, mirror it, audit it.
- No analytics, no telemetry, no ping-home. Ever.
MIT for everything. The corpus/ directory ships with its
own MIT LICENSE file so it can be vendored
independently.