
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
Catch AI and human slop in English Markdown without calling an LLM. Slopless ships 50+ deterministic textlint rules and a CLI that emits structured JSON findings.
Given this paragraph (typical LLM prose):
In today's rapidly evolving landscape, it's important to note that AI tools
are revolutionizing how we work - truly transforming workflows in
unprecedented ways. By harnessing the power of large language models, teams
can delve into complex challenges, streamline operations, and unlock new
possibilities. But what does this really mean for you? In essence, the
future belongs to those who embrace these tools today. Not just to keep up,
not just to stay competitive, but to thrive.
npx slopless returns nine findings across seven rules:
[slopless/generic-signposting] it's important to note
[slopless/prohibited-phrases] it's important to note
[slopless/llm-vocabulary] landscape
[slopless/llm-vocabulary] delve
[slopless/prohibited-words] delve
[slopless/prohibited-words] unlock
[slopless/prohibited-phrases] the future belongs to
[slopless/negation-reframe] Not just X, not just Y, but Z
[slopless/flesch-kincaid] Flesch Reading Ease 56.05 (keep >= 61)
Full JSON output is the default. See the Rules page for the complete inventory.
npm install -D slopless
npx slopless install-skill codex
npx slopless install-skill claude
Then start a fresh writing-agent session and tell it to use the Slopless skill:
Use the Slopless skill. Check this Markdown, rewrite the prose, and keep iterating until Slopless passes.
Loop:
npx slopless "docs/**/*.md"
Slopless is English-only. It requires a file path, glob, or stdin input. A bare npx slopless exits with code 2.
Exit 0 means clean. Exit 1 means findings. Exit 2 means failure.
Output is always JSON:
mkdir -p .slopless/findings
npx slopless "docs/**/*.md" > ".slopless/findings/$(date +%Y-%m-%d-%H%M%S)--review.json"
Agents should run help first:
npx slopless --help
Agents should save raw JSON findings under .slopless/findings/ in the current working directory. Slopless does not choose redirected output filenames, slugs, or timestamps.
Install the Codex skill into the current repo:
npx slopless install-skill codex
Install the Claude Code skill into the current repo:
npx slopless install-skill claude
Both commands install the same slopless skill body. Start a new agent session after installing if the skill is not visible.
Use textlint comments around intentional exceptions:
<!-- textlint-disable slopless/semantic-thinness -->
Something shifted in the room.
<!-- textlint-enable slopless/semantic-thinness -->
textlint-disable block syntax.Every release since 0.2.13 is published from GitHub Actions via OIDC and carries a SLSA v1 provenance attestation recorded in the Sigstore transparency log.
npm audit signatures slopless
This confirms the tarball you installed was built in the published source repository's Actions environment, from the commit the GitHub Release points at.
Developed by seochecks.ai to keep content specific, useful, and recognizably human.
FAQs
Deterministic textlint rules and CLI for catching prose slop in English Markdown.
The npm package slopless receives a total of 217 weekly downloads. As such, slopless popularity was classified as not popular.
We found that slopless demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.