import-sentinellisted

# Import Sentinel Use this skill to validate imports in code, especially AI-generated code, before it runs or is installed. It catches the two failure modes that matter: an import that does not exist (a hallucination) and an import that is one character off from a real package (a typosquat, the basis of slopsquatting supply-chain attacks). ## When to use - Immediately after an agent or chat writes or edits code with new imports. - As a pre-commit hook or CI step on the diff. ## Workflow 1. Run the scan and show the evidence: ```bash python -m importsentinel scan <path-to-code-or-dir> # or on a diff: git diff | python -m importsentinel scan --diff ``` 2. Treat CRITICAL (typosquat) and HIGH (unresolved) findings as blockers. For a CRITICAL, the package is almost certainly meant to be the suggested popular one; correct the spelling. For a HIGH, the import resolves to nothing real; it is likely hallucinated, so remove it or replace it with a real API. 3. MEDIUM findings mean a real, popular package is used but not declared in the manifest. Add it to requirements.txt / pyproject.toml / package.json and pin it. Pinning is itself a slopsquatting defense. 4. Re-run until clean. Do not install or run code with unresolved imports. ## How it decides A name is trusted only if it resolves to the standard library, a declared dependency, or a local module. Everything else is unresolved and fails closed. Distribution aliases (for example import `yaml` fro