npm install.An LLM just wrote some code. It might import a package that doesn't exist — a name the model hallucinated. Attackers register exactly those names and ship malware (slopsquatting). import-guardian reads the code, extracts every npm import, and tells you which ones are real.
| 👻 Hallucinated | imports of packages that do not exist on npm — the model invented the name. Returns a BLOCK with a "did you mean" to the real package. |
| 🪤 Fresh squats | packages that do exist but were published days ago, have no repo, near-zero downloads, or are a 1–2 edit typo of a popular lib. |
| 🧩 Import-aware | resolves import x from "@scope/pkg/sub" → @scope/pkg, skips builtins & local paths. No AST, no deps. |
POST /scan { "code": "import x from 'reqeusts'\\nimport y from 'lodash'" }
GET /verify?name=expressTry it: /verify?name=express · /verify?name=reqeusts
{
"mcpServers": {
"import-guardian": { "command": "npx", "args": ["-y", "import-guardian-mcp"] }
}
}Or connect over HTTP at POST /mcp. Tools: scan_code_imports, check_packages, verify_package.
The /pro/* route is gated by x402. Your agent pays $0.02 USDC per call automatically — no sign-up, no API key. Settles on-chain.
POST /pro/scan { "code": "…" } # 402 → pay → result, no rate limit