Scan an AI component before you trust it
Supply-chain risk, dangerous capabilities, prompt-injection and exfiltration surfaces — derived only from the component itself. Free, no account.
How it works
1
Submit a component
Paste a public git URL (GitHub/GitLab/Bitbucket/Hugging Face) or an npm:/pypi: package — an MCP server, agent skill/plugin, model repo, or package.
2
We analyze the component itself
Deterministic static analysis — no execution, no LLM: capabilities, dangerous APIs, prompt-injection and exfiltration surfaces.
3
Get an evidence-backed report
A risk score and every finding anchored to file, line and snippet — export as JSON or SARIF.
What you get
Free
Always freeThe full static report — no account needed.
- Risk score (0–100) and level
- All capabilities the component exposes
- Every finding with file:line evidence
- JSON and SARIF export
Deep Analysis
Coming soonServer-side analysis that explains why a finding matters.
- LLM verification of each finding
- Exploitability & impact analysis
- Tailored remediation guidance
- History & monitoring