Skip to main content

verify

One line: is this package real, non-malicious, and reputable, before I install it?

An AI agent that hallucinates a package name, or picks up a typosquat, hands your supply chain to whoever registered that name. verify checks each package against the public registries and OSV.dev and reports one verdict per package. It covers npm, PyPI, and crates.io.

Usage

vulkro-live verify express [email protected]
vulkro-live verify --ecosystem pypi requests flask
vulkro-live verify --manifest ./package.json
vulkro-live verify --format sarif --manifest ./Cargo.toml

Packages are given as name or name@version, or read from a manifest with --manifest (package.json, requirements.txt, pyproject.toml, or Cargo.toml; the ecosystem is inferred from the file name). Dependencies that do not come from a registry (local file: paths, git and http URLs, workspace: entries) are skipped, and npm: aliases resolve to the package that actually installs.

Example

$ vulkro-live verify express lodahs axios-retry-helper

npm express OK latest 5.2.1, 109089346 weekly downloads
npm lodahs MALICIOUS flagged malicious by OSV (MAL-2025-25502): Malicious code in lodahs (npm)
npm axios-retry-helper MISSING not found in the registry

3 checked: 1 OK, 1 MALICIOUS, 0 LOOKALIKE, 0 VULNERABLE, 1 MISSING, 0 SUSPICIOUS

The verdict ladder

Verdicts are ordered by severity; a package gets the worst one that applies (MISSING > MALICIOUS > LOOKALIKE > VULNERABLE > SUSPICIOUS > OK):

VerdictMeaning
MISSINGNot in the registry, or the requested version was never published: a likely AI hallucination or slopsquat.
MALICIOUSFlagged by OSV (an OpenSSF malicious-packages record).
LOOKALIKEA homoglyph or one-edit typo of a very popular package (a likely typosquat).
VULNERABLEThe installed version has a known CVE / advisory (from OSV).
SUSPICIOUSExists, but very new or with very few downloads.
OKReal, not flagged, no known advisory, reasonable reputation.

Flags

FlagEffect
--ecosystem <ECOSYSTEM>Ecosystem for positional packages: npm (default), pypi, or crates
--manifest <FILE>Read package names from a manifest; ecosystem inferred from the file name
--min-age-days <DAYS>Flag packages created within this many days as SUSPICIOUS (default 30)
--min-downloads <N>Flag packages with fewer than this many downloads as SUSPICIOUS (default 100)
--no-cacheBypass the local response cache and always query live
--format <FORMAT>text (default), json, or sarif; see Output formats

Exit codes: 0 when every package is OK, 1 when one or more are flagged, 2 on an error.

Data sources and privacy

verify reads the public npm registry (registry.npmjs.org) and download counts (api.npmjs.org), the PyPI JSON API (pypi.org), the crates.io index and API, and OSV.dev for malicious-package and advisory data. Only package names leave your machine; your source code never does. Responses are cached in your own local cache directory, never a shared server-side mirror.

Composes with

  • foresee runs verify's checks over names an AI has not suggested yet, predictively.
  • inspect runs verify over the package backing an MCP server.
  • trustdb clears a reviewed name@version so verify marks it trusted instead of re-flagging it.
  • mcp exposes verify as an MCP tool so the agent checks packages in the loop.