import-guardian
FlaggedCatch AI-hallucinated (slopsquatted) npm imports in generated code before npm install.
Our take
The tool addresses a real problem (slopsquatted npm imports), but the audit found manufactured ecosystem presence: the anonymous zero-follower owner forked five awesome-* lists (awesome-mcp-servers, awesome-mcp-security, awesome-secure-mcp-servers, awesome-x402, awesome-agentic-commerce) in one week and committed self-insertions promoting his own products — the awesome-x402 fork carries an 'Add guardian set to Security & Audits' commit advertising four of them. Those four 'guardian' services plus six other repos were all created within days of each other, each monetized via Stripe 'premium' tools and x402 pay-per-call USDC. Faked ecosystem endorsement to sell paid API calls from an anonymous operator is exactly the buywhere pattern.
Verification record
- yesterday
- 0
- 10 days ago
- no
- MIT
- 235
- 0.3.0
- 2026-06-26