A developer known as mat-1 has released Slopcheck, an open-source command-line tool written in Rust that scans software projects and their dependency trees for indicators of AI-generated code. The tool works by inspecting Git commit histories for signatures left by known LLM coding agents such as Claude Code and GitHub Copilot, checking for the presence of AI-specific configuration files like CLAUDE.md and AGENTS.md, and flagging projects that include those files in their .gitignore — a heuristic the tool uses to identify potential attempts to conceal AI tool usage. Slopcheck also distinguishes between current and former LLM use, offering a basic temporal picture of AI involvement over a project's history. It is installable via cargo and available on GitHub.
The tool's most technically ambitious feature is its transitive dependency scanning, which extends AI-code detection beyond a single project to its entire upstream dependency graph. For Rust projects, Slopcheck uses cargo metadata to enumerate the dependency tree; for JavaScript projects, it parses package.json and recursively fetches package data from the npm registry. The tool caches cloned repositories and metadata in the OS cache directory with a 24-hour TTL to manage performance. By its own README's admission, Slopcheck mostly assumes dependencies are on their latest version, which means its flagging heuristic is temporally imprecise — a single AI-assisted commit anywhere in a transitive dependency's history can surface as an indicator for downstream projects.
Slopcheck's Show HN post introduced an unusual approach to software provenance: transitive AI-code attribution, analogous to how copyleft licenses propagate through dependency trees, but without any formal legal or quality standard attached. Unlike license compliance, where obligations are codified, Slopcheck's flagging carries no evidentiary bar — a project can be marked as having AI indicators solely due to a commit in a deeply nested upstream package whose maintainer had no connection to the downstream project.
That design choice raises practical questions about how tools like Slopcheck could be used if integrated into gatekeeping workflows such as <a href="/news/2026-03-14-anti-slop-github-action-with-31-rules-to-auto-close-ai-generated-low-quality-prs">CI pipelines</a>, package registry policies, or contributor vetting processes. The tool detects the presence of AI involvement, not the quality or correctness of the resulting code, making it a blunt signal at best. Slopcheck currently handles Rust and JavaScript dependency graphs; the natural next targets would be Python and Go, neither of which mat-1 has announced support for.