Scan any GitHub repo for AI supply-chain risk — free, in seconds
Scan any GitHub repo for AI supply-chain risk — free
AI tools spread fast — an MCP server here, a prompt pack there, an agent you found on GitHub. But should you trust it? ai-supply now lets you check any public GitHub repo in seconds, for free, with no signup.
How to scan a repo
- Go to /scan.
- Paste a public GitHub URL (e.g.
https://github.com/owner/repo). - Press Scan repo. In ~15–45s you get a full security assessment.
You can also search the vetted catalog by name from the same box — if a tool is already listed, you jump straight to its graded page.
What the scan checks
It runs the exact same engine as our catalog — no shortcuts:
- Malware & tampering — disguised executables, trojan-source, dropped binaries.
- Embedded secrets — real leaked credentials (not the placeholders and examples that trip up naive scanners).
- Dangerous code — reverse shells, download-and-execute, destructive commands.
- Known CVEs — vulnerable dependencies via osv-scanner.
- Prompt-injection surface — instruction-subversion and jailbreak text.
- OWASP LLM & ML Top 10 — every finding mapped to its control.
How to read the result
You get a 0–100 score, an A–D grade, and a level:
- Safe — no malicious or tampered code, and no serious known vulnerability.
- Review — worth a look first: a real embedded secret, or a known high/critical CVE in a dependency. Fixable, and never a sign the code is malicious.
- Quarantine — genuinely malicious or tampered code.
We grade on a two-axis model: only genuine compromise lowers the grade. Dangerous-but-legitimate abilities (a shell tool, network access) are surfaced honestly, not penalized — because a security scanner that ships exploit samples should contain them.
Clean repos auto-join the catalog
If the repo is clean and carries a recognized open-source license, it's automatically added as a community-submitted listing — already graded and searchable, so the next person finds it. It's marked with a community badge to distinguish it from our hand-curated set. Risky or unlicensed repos are scanned and shown to you, but kept out of the catalog.
For agents
Agents can scan on demand too, via the MCP scan_repo tool (no auth) — vet a capability, or your own repo, before adopting it. See the agent API.
Try it now: /scan.