JSPM

@moriito/sentinel-ai

0.1.0
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 10
  • Score
    100M100P100Q88157F
  • License MIT

CLI tool to detect AI hallucinated packages and npm vulnerabilities

Package Exports

  • @moriito/sentinel-ai
  • @moriito/sentinel-ai/dist/main.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@moriito/sentinel-ai) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

Sentinel-AI

npm version CI License: MIT Node.js Version

A CLI tool to prevent AI slopsquatting (hallucinated package imports) and detect general vulnerabilities in your codebase.

Features

  • AI Hallucination Detection — catches imports of packages that do not exist on npm
  • Shadow Code Detection — flags packages used in imports but missing from package.json
  • Vulnerability Scan — checks all packages against the OSV database (single batch request)
  • Malicious Package Alerts — warns on packages with known malware (MAL-* entries)
  • Package Age Check — flags suspiciously new packages (< 72 hours on npm)
  • Pre-Install Guard — intercepts npm install to block hallucinated or vulnerable packages before they reach your disk
  • Node.js Built-in Filter — ignores fs, path, crypto, node:fs, node:path, and other runtime modules
  • Concurrent Requests — configurable parallelism + retry with exponential backoff

Quick Start

git clone https://github.com/MoriitoDev/sentinel-ai.git
cd sentinel-ai
npm install

# Basic scan
npm run scan

# Full vulnerability scan
npm run scan:deep

CLI Reference

Flag Alias Description Default
--deep -d Enable full scanning (age + vulns + transitive deps) off
--concurrency -c Max parallel requests to npm 5
--include-dev -i Include dev-only transitive deps in deep mode off
--output -o Save report to file (plain text or JSON, console still shows)
--format -f Output format: text (ANSI) or json text
--verbose -v Enable debug logging off

Standard mode

Only checks for hallucinations and shadow code:

npm run scan

Deep mode

Adds age checks and OSV vulnerability scanning for all packages:

npm run scan:deep
npx tsx src/main.ts --deep --concurrency 10

Output

────────────────────────────────────────────────────────
 Sentinel Report  — 4 packages, 860ms, deep mode
────────────────────────────────────────────────────────

 AI HALLUCINATIONS (1)
   ai-slopsquatting         ← not found on npm

 SHADOW CODE (1)
   @swc

 VULNERABILITIES (0)

 CLEAN (2)
   @swc
   fast-glob            v3.3.3

────────────────────────────────────────────────────────

Output to file

# Default text report (no ANSI codes)
npm run scan -- --output report.txt

# JSON report
npm run scan:deep -- --format json --output report.json

The console always shows the colorized output. The file receives a clean copy.

Configuration file

Create .sentinelrc.json in the project root to set defaults:

{
  "concurrency": 10,
  "includeDev": true,
  "outputFormat": "json"
}

CLI flags always override config file values.

Documentation

Full documentation is available as a VitePress site. To run it locally:

npm run docs:dev

Or browse the markdown source in docs/.

How it works

  1. Scans source files with SWC AST parser
  2. Reads package.json for declared dependencies and package-lock.json for exact versions
  3. Fetches npm registry metadata in parallel (configurable concurrency)
  4. Queries OSV vulnerability database in a single batch request (including transitive deps)
  5. Reports findings grouped into Hallucinations, Shadow Code, Vulnerabilities, Transitive Vulnerabilities, and Clean

License

MIT