slopcheck

Scan files for npm install, npx, pnpm add, yarn add, bun add, and bunx commands, extract package names, and validate each against the live npm registry. Packages that don't exist are reported as phantom packages (hallucinations). Packages with HTTP 451 responses are flagged as security holds (removed for malware).

Zero runtime dependencies. Uses only Node.js built-in APIs.

When to use

• - Before installing packages from any AI-generated file (SKILL.md, AGENTS.md, .cursorrules, README.md)
• Before committing markdown or config files that reference npm packages
• When reviewing pull requests that add new package references in documentation
• After generating code or documentation that includes install commands

Commands

CODEBLOCK0

Interpreting output

CODEBLOCK1

• - not found on npm — the package name does not exist in the npm registry. Likely an AI hallucination. Do not install it. An attacker may register the name as malware (slopsquatting).
• security hold (HTTP 451) — npm has removed this package, typically for malware. Do not install it under any circumstances.
• Exit code 0 — all packages verified as existing on npm.
• Exit code 1 — one or more phantom packages found.

JSON output format

When using --json, output is an array of findings:

CODEBLOCK2

What slopcheck does NOT do

• - Does not scan package.json or lock files — use Socket.dev or Snyk for that
• Does not check if an existing package is malicious — existing only means not hallucinated
• Does not validate package versions or compatibility

Scanned file types

INLINECODE7, .yml, .yaml, .json, INLINECODE11

Directories named node_modules, .git, dist, and build are always skipped.