The Crypto Coin Was the Tell | Vexjoy<br>TL;DR<br>GSD's creator rug-pulled and vanished. He still has NPM publish access to packages with deep shell permissions on your machine. What to do and what it means.

If you have the Get Shit Done npm package installed, uninstall it today.<br>The original creator launched a $GSD crypto token, drained it once enough people bought in, deleted his social accounts, and disappeared. The community forked the project overnight to get-shit-done-redux and did a security audit. That part is being handled.<br>The part that is still a problem: he still has publish access to the original npm packages, and nothing in the npm registry revokes credentials when someone vanishes. GSD agents run with deep shell and bash permissions on your local machine. The current packages aren&rsquo;t known to be malicious, but that framing misses the point because the relevant question isn&rsquo;t whether they&rsquo;re malicious now, it&rsquo;s whether the person who controls the update path has a reason to be angry and no longer has any accountability. The trust relationship collapsed. One person who might have grievances still controls what gets installed on your machine.<br>That is a different risk category than an abandoned project.<br>What to run#<br>If you installed via npm:<br>npm uninstall -g get-shit-done-cc<br>npm uninstall -g @gsd-build/sdk

If you used npx:<br>npx get-shit-done-cc --uninstall --global

Or if you did a local install:<br>npx get-shit-done-cc --uninstall --local

Also worth checking: ~/.npm/_npx/ and your .claude folder for any gsd directories that aren&rsquo;t markdown files.<br>The community fork lives at open-gsd/get-shit-done-redux if you want to keep using a GSD-based workflow:<br>npx @opengsd/get-shit-done-redux@latest

The thing I wanted to say#<br>I left a comment on the Reddit thread when this broke:<br>They were the first large ai setup to take a bunch of my creations. I felt slighted at the time that there were no citations or anything, but it makes sense.<br>It just felt sort of gross how they vacuum&rsquo;d up everyone&rsquo;s ideas, and then tried to profit off of it. My stuff is complex and for my usage. But I spent real time coming up with the ideas, and seeing the crypto coin made me upset.

I wrote about the attribution question back in March. I came down on convergent evolution as the honest answer. Ideas spread in ways nobody can trace when Claude is in the loop. You build something, Claude reads it or someone describes it, and the same patterns show up somewhere else without any visible chain connecting them.<br>The crypto token changed how I think about that.<br>Not because attribution suddenly matters more. But because launching a token revealed what the project was actually for, and once you see that the architecture was a means to build a community and the community was a means to sell a token, the vacuum-ing up of ideas starts to look less like convergent evolution and more like value extraction.<br>That&rsquo;s the gross part. Not the copying. The purpose behind it.<br>What this exposes#<br>About a year ago I started building vexjoy-agent. The /do router went public on this blog December 24, 2025. By the time the $GSD token launched, the system already had 44 domain specialist agents, 121 workflow skills, and 77 lifecycle hooks that fire on Claude Code lifecycle events.<br>Three commands. git clone, cd, ./install.sh. The installer deploys across Claude Code, Codex, Gemini, and Factory automatically. One question asked: symlink mode for live updates, or copy mode for a stable snapshot.<br>None of it goes through npm.<br>That turned out to matter more than I thought when I made the choice. Every file in the repo is markdown, Python, or a schema. You can read all of it before running anything. Nobody pushes a silent update to your machine without going through git, where you would see it.<br>When you install an npm package from a popular repo, you&rsquo;re trusting whoever holds the publish keys. When the creator disappears with the funds, that trust doesn&rsquo;t transfer to the community fork automatically. The npm registry doesn&rsquo;t know what happened. It still runs whatever gets pushed to the old package.<br>What I&rsquo;d actually do#<br>I&rsquo;m not here to tell you what to use. The community fork seems reasonable. The Claude Code plugin marketplace version seems reasonable. Both removed the original creator from the update path.<br>But worth asking: do you actually need a framework at all?<br>Claude Code works well if you spend real time on your CLAUDE.md and let it build domain knowledge through normal use. The /do router started as a specific problem with variance, not a product I was designing. Each agent and skill came from a failure I kept hitting. The system is opinionated and shaped by my specific workflow. That specificity is what makes it actually useful rather than generic.<br>That&rsquo;s the point, actually.<br>Spend an afternoon cloning the ideas from whatever framework you like. Build only the parts you actually...