Vibe-coding sessions can go awry in many ways. One way is for the agent to offer to install a weird package. It will frequently pull an obscure GitHub repo over an official SDK. AI training data is biased toward whatever packages were popular or well-documented during training, not necessarily what’s safe or well-maintained.

This happened to me recently: I was trying to connect Go with OpenAI when the agent suggested installing an unofficial implementation over OpenAI’s own SDK. Nothing obviously wrong with that particular package, but it got me thinking about how this could be prevented. We’re automating ourselves toward new vulnerabilities. As we allow these tools to become more autonomous, we need defenses that work automatically too.

So I added a new slopsquat directory to Scary Strings that tracks risky packages.

My immediate motivation is to use it to track and prevent strange packages that AI tools suggest in the wild, though of course it is also simply a collection of weird libraries that go against sensible defaults.

Developers can then wire this list into their package managers (like depguard in Go) to automatically reject these suggestions before they make it into production.

Using this list to block packages in CI protects against both human mistakes and AI agents running wild. Whether you’re a dev who is too busy to investigate every package, or an autonomous agent in full YOLO mode, the safety net catches both.