Trace scans AI-generated code for hallucinated dependencies โ package names that don't exist, can't be installed, or were simply made up โ before they become a security or reliability problem.
When an AI agent writes code, it generates package names from training data โ and sometimes those names are plausible-sounding but fictional. The agent doesn't know the package doesn't exist. It just writes what seems right.
The risk is twofold. A hallucinated package name that gets registered by a malicious actor becomes a supply chain attack waiting to happen. A package that simply doesn't exist breaks your build in a way that's hard to diagnose.
Trace catches both before pip install or npm install runs.
Every package name is checked against PyPI, npm, and other registries. Packages that don't exist are flagged immediately, regardless of version.
Packages with plausible but unverifiable names โ common in AI hallucinations โ are flagged for review rather than silently passed.
Scans Python requirements files, package.json, and other common dependency formats. Where the agent writes code, Trace follows.
We're in early exploration for Trace. If AI-generated dependencies are causing friction in your workflow, we'd genuinely like to understand the problem better. Leave your email and we'll be in touch.