@aximur/package-guard
v0.1.0
Published
Stop AI coding agents from installing hallucinated, nonexistent, typo-close, or slopsquatted npm/PyPI packages before install.
Downloads
98
Maintainers
Readme
AXIMUR Package Guard
AXIMUR Package Guard stops AI coding agents from installing hallucinated, nonexistent, typo-close, or slopsquatted npm/PyPI packages before install.
It runs as a local CLI, npm preinstall hook, pip preinstall hook, or MCP-compatible package validation tool. Also available as @aximur/guard-hook.
Install
npm install -D @aximur/package-guardNo account, token, or secret is required for standalone mode.
What it catches
requests-> safereqeusts-> suspiciousreact-> safeloadash-> suspiciousdefinitely-not-a-real-package-name-> danger
Package Guard checks registry existence and typo-close names before install, so agent-generated dependency mistakes can be stopped before they enter a repo.
Accurate commands
aximur-guard requests --ecosystem pypi --standalone
aximur-guard reqeusts --ecosystem pypi --standalone --json --fail-on suspicious
aximur-guard react --ecosystem npm --standalone
node hooks/npm-preinstall.js react --standalone --json
python hooks/pip-preinstall.py requirements.txtnpm preinstall hook
Copy hooks/npm-preinstall.js into your repo, then add:
{
"scripts": {
"preinstall": "node hooks/npm-preinstall.js --standalone --fail-on danger"
}
}Strict mode blocks both suspicious and danger findings:
{
"scripts": {
"preinstall": "node hooks/npm-preinstall.js --standalone --fail-on suspicious"
}
}pip preinstall hook
Copy hooks/pip-preinstall.py into your repo, then run it before pip install:
python hooks/pip-preinstall.py requirements.txt
python hooks/pip-preinstall.py --fail-on suspicious requirements.txtMCP tool
Package Guard exposes an MCP-compatible validation tool:
validate_package(package_name, ecosystem, fail_on)Use it to check npm or PyPI package names before an AI coding agent installs them.
Blocked terminal warning
When Package Guard blocks a suspicious or dangerous install, it prints [AXIMUR PACKAGE GUARD] ACTION BLOCKED with the package, ecosystem, verdict, and reason. Safe package checks do not print paid checkout links.
Blocked warnings include two upgrade paths:
- Team Starter hosted checks/API keys: https://buy.stripe.com/eVq3cxd9m0Ws5X70IwfIs04
- Agent Security Setup one-time setup help: https://buy.stripe.com/aFa7sNd9meNiadn3UIfIs05
Team Starter
Need team-wide hosted checks, API keys, and higher-volume validation? AXIMUR Guard Team Starter is $49/mo per workspace for 25,000 hosted package-validation checks/month.
https://buy.stripe.com/eVq3cxd9m0Ws5X70IwfIs04
Paid setup
Need help wiring this into a real repo, CI workflow, Claude Code, Cursor, Copilot, or MCP-compatible agent setup?
AXIMUR Agent Security Setup is a one-time $499 setup service for npm/pip guard configuration, fail-on-danger policy, optional fail-on-suspicious mode, and setup help.
https://buy.stripe.com/aFa7sNd9meNiadn3UIfIs05
