verify
One line: is this package real, non-malicious, and reputable, before I install it?
An AI agent that hallucinates a package name, or picks up a typosquat,
hands your supply chain to whoever registered that name.
verify checks each package against the public registries and OSV.dev
and reports one verdict per package. It covers npm, PyPI, and
crates.io.
Usage
vulkro-live verify express [email protected]
vulkro-live verify --ecosystem pypi requests flask
vulkro-live verify --manifest ./package.json
vulkro-live verify --format sarif --manifest ./Cargo.toml
Packages are given as name or name@version, or read from a manifest
with --manifest (package.json, requirements.txt, pyproject.toml, or
Cargo.toml; the ecosystem is inferred from the file name). Dependencies
that do not come from a registry (local file: paths, git and http
URLs, workspace: entries) are skipped, and npm: aliases resolve to
the package that actually installs.
Example
$ vulkro-live verify express lodahs axios-retry-helper
npm express OK latest 5.2.1, 109089346 weekly downloads
npm lodahs MALICIOUS flagged malicious by OSV (MAL-2025-25502): Malicious code in lodahs (npm)
npm axios-retry-helper MISSING not found in the registry
3 checked: 1 OK, 1 MALICIOUS, 0 LOOKALIKE, 0 VULNERABLE, 1 MISSING, 0 SUSPICIOUS
The verdict ladder
Verdicts are ordered by severity; a package gets the worst one that applies (MISSING > MALICIOUS > LOOKALIKE > VULNERABLE > SUSPICIOUS > OK):
| Verdict | Meaning |
|---|---|
MISSING | Not in the registry, or the requested version was never published: a likely AI hallucination or slopsquat. |
MALICIOUS | Flagged by OSV (an OpenSSF malicious-packages record). |
LOOKALIKE | A homoglyph or one-edit typo of a very popular package (a likely typosquat). |
VULNERABLE | The installed version has a known CVE / advisory (from OSV). |
SUSPICIOUS | Exists, but very new or with very few downloads. |
OK | Real, not flagged, no known advisory, reasonable reputation. |
Flags
| Flag | Effect |
|---|---|
--ecosystem <ECOSYSTEM> | Ecosystem for positional packages: npm (default), pypi, or crates |
--manifest <FILE> | Read package names from a manifest; ecosystem inferred from the file name |
--min-age-days <DAYS> | Flag packages created within this many days as SUSPICIOUS (default 30) |
--min-downloads <N> | Flag packages with fewer than this many downloads as SUSPICIOUS (default 100) |
--no-cache | Bypass the local response cache and always query live |
--format <FORMAT> | text (default), json, or sarif; see Output formats |
Exit codes: 0 when every package is OK, 1 when one or more are
flagged, 2 on an error.
Data sources and privacy
verify reads the public npm registry (registry.npmjs.org) and
download counts (api.npmjs.org), the PyPI JSON API (pypi.org), the
crates.io index and API, and OSV.dev for malicious-package and advisory
data. Only package names leave your machine; your source code never
does. Responses are cached in your own local cache directory, never a
shared server-side mirror.
Composes with
foreseeruns verify's checks over names an AI has not suggested yet, predictively.inspectruns verify over the package backing an MCP server.trustdbclears a reviewedname@versionso verify marks it trusted instead of re-flagging it.mcpexposes verify as an MCP tool so the agent checks packages in the loop.