VULKRO LABS // FREE . OPEN SOURCE
Free tools for the code your AI writes.
Vulkro Labs is a set of free, keyless command-line tools that vet the packages and MCP tools your AI agent reaches for. They run on your machine and send only public metadata (package names, versions, tool manifests). Your source code never leaves your machine, and the tools are open source.
curl -fsSL https://dist.vulkro.com/install-live.sh | bash- Keyless No account, no API key, no backend.
- Local Only package names and tool manifests leave the machine. Never your source.
- Open source MIT / Apache 2.0, on GitHub.
verify
LiveThe AI package bouncer.
Confirms that the packages an AI agent suggested are real, not malicious, and not suspiciously new, before you install them. Give it package names or point it at a manifest. Every package gets one verdict:
- MISSINGNot in the registry: a likely AI hallucination or slopsquat.
- MALICIOUSFlagged by OSV (an OpenSSF malicious-packages record).
- SUSPICIOUSExists, but very new or with very few downloads.
- OKReal, established, and not flagged.
Ecosystems: npm (default), PyPI, and crates. With --manifest it infers the ecosystem from the file name (package.json, requirements.txt, pyproject.toml, Cargo.toml).
vulkro-live verify express [email protected]vulkro-live verify --manifest package.jsonvulkro-live verify requsts flask --ecosystem pypiwarden
LiveThe MCP tool bouncer.
Scans an MCP server's tool manifest before your agent trusts it. It reads only tool metadata (never runs code) and reports findings by severity:
prompt-injection / tool-poisoningInstruction-injection or steering text in a tool description.hidden-unicodeInvisible characters hiding instructions from a human reviewer.tool-shadowingDuplicate or builtin-colliding tool names.sensitive-parameterA tool that asks the model to pass secrets.capability / annotationPowerful or self-declared risky behaviour.
It accepts a tools/list result, a bare array of tools, or a single tool object.
vulkro-live warden server-manifest.jsonmcp
LiveOne server, every agent.
vulkro-live mcp is a Model Context Protocol server that exposes verify and warden as tools over stdio, so an AI agent can vet a package or an MCP server in the loop. Point Claude Code, Cursor, or any MCP client at it:
{
"mcpServers": {
"vulkro-live": {
"command": "vulkro-live",
"args": ["mcp"]
}
}
}Slopsquatting checker
LiveNo install, right in your browser.
Paste a lockfile and catch hallucinated and malicious packages in the browser, nothing to download. The same registry and OSV checks that power verify, on a web page.
Try the slopsquatting checker