RSS

Holster-scan – catch AI-hallucinated package imports before agents run

davidnauta1 pts0 comments

GitHub - nauta-ai/holster-scan: Local-first scanner for AI-hallucinated / typosquatted (slopsquat) packages + agent boundary preflight — catches what generic SAST misses, before an agent runs or a repo is shared. · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

nauta-ai

holster-scan

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>3 Commits<br>3 Commits

holster_scan

holster_scan

tests

tests

.gitignore

.gitignore

MANIFEST.in

MANIFEST.in

README.md

README.md

action.yml

action.yml

pyproject.toml

pyproject.toml

View all files

Repository files navigation

holster-scan

See what an AI agent would inherit — and catch hallucinated/typosquatted packages — before the agent runs or the repo gets shared. Local. Free. No signup.

Coding agents (Claude Code, Cursor, Codex) and MCP servers now reach your files, shell, tokens, and tools. holster-scan reads your repo + agent config locally and tells you two things plainly: is this safe to run, and is this safe to share — plus the AI-specific risk nobody else checks: hallucinated / slopsquatted package imports.

Not another secret scanner. A pre-run / pre-share boundary check for AI-agent work.

pip install holster-scan # or from source: pipx install git+https://github.com/nauta-ai/holster-scan<br>holster-scan . # scan the current repo + any agent/MCP config

Runs entirely on your machine. Your code, configs, and secrets never leave it. No account, no telemetry.

What it catches

Hallucinated / slopsquatted packages — AI-invented imports (reqeusts, langchain-utils, panda) and published typosquats that real scanners miss. (95% recall, 0.36% false-positive rate on 10 major real repos.)

What the agent inherits — shell env, file scope, tokens, MCP tools, cloud creds.

Safe-to-share gaps — live-credential pointers, secrets in git history, MCP tools with no allow-list.

Blast radius — what a misused agent or shared config could actually reach.

A fix-first order — five steps, not two hundred warnings.

What it looks like

$ holster-scan .

Agent Boundary Report · client-portal-agent

Safe to run? ⚠ yes, with restrictions (2 to fix)<br>Safe to share? ✗ no (3 blockers)<br>Risk HIGH

PACKAGES<br>✗ reqeusts hallucinated — typo of "requests" (not on PyPI)<br>✗ langchain-utils hallucinated "-utils" helper of langchain

BOUNDARY<br>⚠ run wrapper inherits full shell env (AWS_*, STRIPE_* visible to agent)<br>⚠ MCP fs-server scope = $HOME, not project<br>✗ docker-compose.override.yml → live key path /Users/.../stripe/live.key<br>✗ .env present in git history (recoverable)<br>✗ MCP tool "shell.exec" has no allow-list

FIX FIRST<br>1 rotate the referenced live key 2 isolate the wrapper env<br>3 restrict MCP fs + shell.exec 4 scrub .env from history<br>5 re-run → target: safe to run + safe to share

Nothing left your machine.

In CI (GitHub Action)

- uses: nauta-ai/holster-scan@v0<br>with:<br>fail-on: high # fail the build on high-severity findings<br>format: sarif # results show in GitHub code scanning

Why it's different

AI-specific. It's not fighting Snyk/Semgrep on generic SAST — it catches the risks unique to AI-generated code and agent setups.

Local-first by design. Analysis runs on your machine. --offline works; unknown packages are flagged, never silently passed.

Boundary, not just secrets. A clean local run doesn't prove a clean shareable artifact. It checks both.

Allow-list your private packages — .holster.yml suppresses internal/vendor-index packages so the noise stays near zero.

Config

# .holster.yml<br>allow: [ "torch_mlu", "internal-*" ] # private/vendor packages, not flagged<br>fail_on: high<br>registry: on # PyPI existence + maintenance checks

Open-core. Free to run locally and in CI, forever.

Need a human to review a real client repo or agent setup in depth? We do a written Agent Boundary Review — safe-to-run / safe-to-share verdict, inheritance map, prioritized fixes — for one repo/config. Founder price $500. Optional live walkthrough. → nautaai.com/holster · Holster by Nauta AI .

About

Local-first...

agent holster scan safe packages hallucinated

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.