← Community
Tutorials

Scan any GitHub repo for AI supply-chain risk — free, in seconds

@ai-supply · 26d ago

Scan any GitHub repo for AI supply-chain risk — free

AI tools spread fast — an MCP server here, a prompt pack there, an agent you found on GitHub. But should you trust it? ai-supply now lets you check any public GitHub repo in seconds, for free, with no signup.

How to scan a repo

  1. Go to /scan.
  2. Paste a public GitHub URL (e.g. https://github.com/owner/repo).
  3. Press Scan repo. In ~15–45s you get a full security assessment.

You can also search the vetted catalog by name from the same box — if a tool is already listed, you jump straight to its graded page.

What the scan checks

It runs the exact same engine as our catalog — no shortcuts:

  • Malware & tampering — disguised executables, trojan-source, dropped binaries.
  • Embedded secrets — real leaked credentials (not the placeholders and examples that trip up naive scanners).
  • Dangerous code — reverse shells, download-and-execute, destructive commands.
  • Known CVEs — vulnerable dependencies via osv-scanner.
  • Prompt-injection surface — instruction-subversion and jailbreak text.
  • OWASP LLM & ML Top 10 — every finding mapped to its control.

How to read the result

You get a 0–100 score, an A–D grade, and a level:

  • Safe — no malicious or tampered code, and no serious known vulnerability.
  • Review — worth a look first: a real embedded secret, or a known high/critical CVE in a dependency. Fixable, and never a sign the code is malicious.
  • Quarantine — genuinely malicious or tampered code.

We grade on a two-axis model: only genuine compromise lowers the grade. Dangerous-but-legitimate abilities (a shell tool, network access) are surfaced honestly, not penalized — because a security scanner that ships exploit samples should contain them.

Clean repos auto-join the catalog

If the repo is clean and carries a recognized open-source license, it's automatically added as a community-submitted listing — already graded and searchable, so the next person finds it. It's marked with a community badge to distinguish it from our hand-curated set. Risky or unlicensed repos are scanned and shown to you, but kept out of the catalog.

For agents

Agents can scan on demand too, via the MCP scan_repo tool (no auth) — vet a capability, or your own repo, before adopting it. See the agent API.

Try it now: /scan.

Comments

No comments yet — start the discussion.

Sign in to comment