Skip to content
ai-supply.store
탐색카테고리리더보드커뮤니티Agent APIFAQ
로그인무료 가입
catalog / Coding / CodeCompanion.nvim
⊕PluginCodingFree

CodeCompanion.nvim

AI coding assistant for Neovim with chat, inline actions, and multi-provider LLM support.

@ai-supply
설치 수1.4k
↗ 소스 저장소
← More CodingCoding leaderboard →How we grade security →Source ↗

CodeCompanion.nvim

An AI coding assistant for Neovim that brings chat, inline code actions, and agent-style workflows directly into the editor, 'Vim style.'

It supports many LLM providers (Anthropic, OpenAI, Ollama, Copilot and more), ships a prompt library of actions (explain, fix, test, refactor), and integrates with buffers and the quickfix list so suggestions land where you work.

Apache-2.0 licensed and lightweight, aimed at developers who want AI assistance without leaving the terminal.

Rating rank
#1
of 27 in Coding
Install rank
#24
of 27 in Coding
Security score
100/100 · A
safe
Security rank
#1
of 27 in Coding
Installs
1.4k
cat avg 157k
This listing vs category average
Installs
this
cat avg
Security (of 100)
this
cat avg
Adoption trend
See the Coding leaderboard →
✓ Security: Safe · 100100/100 · grade Ascanned 15h ago
✓ no compromise signals31 risk-surface · 9/20 OWASP controls flagged

Compromise signals — malicious or tampered code (leaked secrets, backdoors, a dropped executable) — reduce the score, and known dependency CVEs carry a bounded penalty (they warrant review but never QUARANTINE — update the dependency to clear). Other dangerous-by-capability traits are risk surface, expected for some capabilities. Every finding is mapped to its OWASP control below.

What this capability can do · high confidence (static)
Tools (1)
CodeCompanion.nvim
⚑ filesystem⚑ shell⚑ network⚑ secrets
egress → agentclientprotocol.com, www.jsonrpc.org, www.aol.com, en.wikipedia.org, www.espn.com, www.sufc.co.uk, x.com, www.skysports.com +32

Findings mapped to the OWASP Top 10 for LLM Applications (2025) and the OWASP Machine Learning Security Top 10. Expand any flagged control for the exact findings — compromise reduces the score; expected/risk-surface do not.

OWASP Top 10 for LLM Applications
⚠LLM01Prompt Injectionhigh
Adversarial instructions embedded in an artifact that hijack a downstream LLM.
•Prompt-injection phrasing — instruction-subversion language detected · olimorris-codecompanion.nvim-c8bd2d0/doc/architecture.md (CWE-77)risk surface
⚠LLM02Sensitive Information Disclosurehigh
Secrets, credentials or PII shipped inside the artifact.
•Embedded credentials — found: hardcoded credential · olimorris-codecompanion.nvim-c8bd2d0/doc/codecompanion.txt (CWE-798)expected
⚠LLM05Improper Output Handlinghigh
Code that pipes model/user output into shell, eval, SQL or paths unsafely.
•Path traversal sequences — '../' present in content or name · olimorris-codecompanion.nvim-c8bd2d0/.codecompanion/acp/claude_code_acp.md (CWE-22)risk surface
•Suspicious code patterns — destructive rm -rf / · olimorris-codecompanion.nvim-c8bd2d0/Dockerfile (CWE-78)risk surface
•Suspicious code patterns — child_process exec · olimorris-codecompanion.nvim-c8bd2d0/doc/.vitepress/config.mjs (CWE-78)risk surface
⚠LLM06Excessive Agencyhigh
Over-broad tool/permission surface or unrestricted egress.
•Broad capability surface — 3 high-impact capability categories referenced — verify least-privilege · olimorris-codecompanion.nvim-c8bd2d0/.codecompanion/acp/acp.md (CWE-272)risk surface
•External endpoints declared — 3 distinct host(s) · olimorris-codecompanion.nvim-c8bd2d0/.codecompanion/acp/acp_json_schema.jsonrisk surface
•External endpoints declared — 10 distinct host(s) · olimorris-codecompanion.nvim-c8bd2d0/.codecompanion/acp/claude_code_acp.mdrisk surface
•External endpoints declared — 1 distinct host(s) · olimorris-codecompanion.nvim-c8bd2d0/.codecompanion/tests/mini_test_testing.mdrisk surface
•External endpoints declared — 2 distinct host(s) · olimorris-codecompanion.nvim-c8bd2d0/.github/workflows/claude.ymlrisk surface
•Broad capability surface — 4 high-impact capability categories referenced — verify least-privilege · olimorris-codecompanion.nvim-c8bd2d0/AGENTS.md (CWE-272)risk surface
•Egress to a private/loopback host — 127.0.0.1 · olimorris-codecompanion.nvim-c8bd2d0/CONTRIBUTING.md (CWE-918)risk surface
•External endpoints declared — 7 distinct host(s) · olimorris-codecompanion.nvim-c8bd2d0/CONTRIBUTING.mdrisk surface
•External endpoints declared — 23 distinct host(s) · olimorris-codecompanion.nvim-c8bd2d0/README.mdrisk surface
•External endpoints declared — 5 distinct host(s) · olimorris-codecompanion.nvim-c8bd2d0/doc/.vitepress/config.mjsrisk surface
•External endpoints declared — 4 distinct host(s) · olimorris-codecompanion.nvim-c8bd2d0/doc/architecture.mdrisk surface
•Egress to a private/loopback host — 127.0.0.1, 192.168.1.100 · olimorris-codecompanion.nvim-c8bd2d0/doc/codecompanion.txt (CWE-918)risk surface
•External endpoints declared — 43 distinct host(s) · olimorris-codecompanion.nvim-c8bd2d0/doc/codecompanion.txtrisk surface
•External endpoints declared — 18 distinct host(s) · olimorris-codecompanion.nvim-c8bd2d0/doc/configuration/adapters-acp.mdrisk surface
•Egress to a private/loopback host — 192.168.1.100 · olimorris-codecompanion.nvim-c8bd2d0/tests/adapters/http/test_ollama.lua (CWE-918)risk surface
•Egress to a private/loopback host — 0.0.0.0 · olimorris-codecompanion.nvim-c8bd2d0/tests/mcp/test_mcp_tools.lua (CWE-918)risk surface
⚠LLM07System Prompt Leakagehigh
Secrets, internal hosts or proprietary logic exposed in shipped prompts.
•Embedded credentials — found: hardcoded credential · olimorris-codecompanion.nvim-c8bd2d0/doc/codecompanion.txt (CWE-798)expected
•Internal host / private infrastructure reference — shipped content references a private IP range or internal-only host · olimorris-codecompanion.nvim-c8bd2d0/doc/codecompanion.txt (CWE-200)risk surface
⚠LLM03Supply Chainlow
Vulnerable/compromised dependencies, models or archives in the artifact.
•Dependency manifest — 6 npm dependencies declared · olimorris-codecompanion.nvim-c8bd2d0/doc/package.jsonrisk surface
§LLM09MisinformationGovernance
Artifacts designed to produce false/deceptive output.
Detectable only by runtime behavioral evaluation; addressed via responsible-use attestation.
◷LLM10Unbounded ConsumptionRuntime-enforced
Unbounded loops/recursion causing DoS or runaway cost.
Enforced at runtime by the gateway (rate limits + spend caps + size caps); static check flags unbounded loops.
✓LLM04Data and Model PoisoningPassed
Backdoors/poisoning in training data or serialized models.
Behavioral poisoning needs model execution; static check covers unsafe serialization + dataset skew only.
✓LLM08Vector and Embedding WeaknessesPassed
PII or plaintext source leakage in embedding/vector exports.
Embedding inversion/poisoning is largely runtime; static check covers PII in vector exports.
OWASP Machine Learning Security Top 10
⚠ML02Data Poisoninghigh
Poisoned training datasets with triggers or anomalous distributions.
Static check covers trigger phrasing, PII and label skew; full poisoning detection is runtime.
•Prompt-injection phrasing — instruction-subversion language detected · olimorris-codecompanion.nvim-c8bd2d0/doc/architecture.md (CWE-77)risk surface
⚠ML09Output Integrityhigh
Middleware tampering with model outputs in transit.
Gateway enforces TLS + response integrity; static check flags output-rewriting code.
•Path traversal sequences — '../' present in content or name · olimorris-codecompanion.nvim-c8bd2d0/.codecompanion/acp/claude_code_acp.md (CWE-22)risk surface
•Suspicious code patterns — destructive rm -rf / · olimorris-codecompanion.nvim-c8bd2d0/Dockerfile (CWE-78)risk surface
•Suspicious code patterns — child_process exec · olimorris-codecompanion.nvim-c8bd2d0/doc/.vitepress/config.mjs (CWE-78)risk surface
⚠ML06AI Supply Chainlow
Compromised PyPI/npm packages, typosquats, unsafe serialized models.
•Dependency manifest — 6 npm dependencies declared · olimorris-codecompanion.nvim-c8bd2d0/doc/package.jsonrisk surface
§ML01Input Manipulation (Adversarial)Governance
Models vulnerable to adversarial perturbations.
Requires runtime robustness evaluation; addressed via publisher robustness attestation.
§ML03Model InversionGovernance
Training data reconstructable from a model's outputs.
Runtime/evaluation property; addressed via model-card data-provenance + DP attestation.
§ML04Membership InferenceGovernance
Determining whether a record was in the training set.
Runtime/evaluation property; addressed via overfitting disclosure + DP attestation.
§ML08Model SkewingGovernance
Models trained on skewed data producing biased output.
Requires fairness evaluation; addressed via model-card bias/limitations disclosure.
✓ML05Model TheftPassed
Unlicensed re-distribution / license-incompatible derivatives.
Static check verifies license declaration; extraction throttling is runtime.
✓ML07Transfer Learning AttackPassed
Backdoored base models / LoRA adapters propagating to derivatives.
Backdoor detection needs behavioral probing; static check covers unsafe serialization + provenance.
✓ML10Model Poisoning (Weights)Passed
Tampered model weight files; integrity must be verifiable.
Static check enforces safe formats + records a content hash for downstream verification.
Other findings (47) · hygiene / uncategorized
•Possible obfuscation — very long lines · olimorris-codecompanion.nvim-c8bd2d0/.codecompanion/acp/claude_code_acp.mdrisk surface
•Unrecognized file type — '.dockerignore' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/.dockerignorerisk surface
•Unrecognized file type — '.gitignore' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/.gitignorerisk surface
•Suspicious network references — raw IP URL (19 URLs) · olimorris-codecompanion.nvim-c8bd2d0/CONTRIBUTING.mdrisk surface
•Unrecognized file type — '.?' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/Dockerfilerisk surface
•Suspicious network references — suspicious TLD (3 URLs) · olimorris-codecompanion.nvim-c8bd2d0/Dockerfilerisk surface
•Disallowed file type — '.ps1' executables are not permitted · olimorris-codecompanion.nvim-c8bd2d0/Make.ps1 (CWE-434)risk surface
•Unrecognized file type — '.mjs' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/doc/.vitepress/config.mjsrisk surface
•Suspicious network references — raw IP URL (242 URLs) · olimorris-codecompanion.nvim-c8bd2d0/doc/codecompanion.txtrisk surface
•Suspicious network references — raw IP URL (23 URLs) · olimorris-codecompanion.nvim-c8bd2d0/doc/configuration/adapters-http.mdrisk surface
•Unrecognized file type — '.lua' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/lua/codecompanion/_extensions/init.luarisk surface
•Unrecognized file type — '.scm' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/queries/c/cc_symbols.scmrisk surface
•Suspicious network references — suspicious TLD (4 URLs) · olimorris-codecompanion.nvim-c8bd2d0/scripts/ci-install.shrisk surface
•Possible obfuscation — large base64 blob · olimorris-codecompanion.nvim-c8bd2d0/tests/adapters/http/copilot/stubs/copilot_tools_streaming_reasoning.txtrisk surface
•Unrecognized file type — '.orig' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/adapters/http/stubs/ollama_reasoning_no_streaming.txt.origrisk surface
•Suspicious network references — raw IP URL (4 URLs) · olimorris-codecompanion.nvim-c8bd2d0/tests/adapters/http/test_ollama.luarisk surface
•Suspicious network references — raw IP URL (1 URLs) · olimorris-codecompanion.nvim-c8bd2d0/tests/mcp/test_mcp_tools.luarisk surface
•Unrecognized file type — '.lua---compaction---locks-the-buffer-and-shows-a-status-while-the-request-is-in-flight' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-interactions-chat-context_management-test_compaction.lua---Compaction---locks-the-buffer-and-shows-a-status-while-the-request-is-in-flightrisk surface
•Unrecognized file type — '.lua---compaction---renders-the-compacted-chat-buffer-correctly' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-interactions-chat-context_management-test_compaction.lua---Compaction---renders-the-compacted-chat-buffer-correctlyrisk surface
•Unrecognized file type — '.lua---chat---chat-buffer-is-initialized' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-interactions-chat-test_chat.lua---Chat---chat-buffer-is-initializedrisk surface
•Unrecognized file type — '.lua---chat---loading-from-the-prompt-library-sets-the-correct-header_line' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-interactions-chat-test_chat.lua---Chat---loading-from-the-prompt-library-sets-the-correct-header_linerisk surface
•Unrecognized file type — '.lua---context---does-not-fold-single-context-item-but-applies-extmark' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-interactions-chat-test_context.lua---Context---does-not-fold-single-context-item-but-applies-extmarkrisk surface
•Unrecognized file type — '.lua---settings---are-rendered-correctly' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-interactions-chat-test_settings.lua---Settings---Are-rendered-correctlyrisk surface
•Unrecognized file type — '.lua---run_command-tool' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-interactions-chat-tools-builtin-test_run_command.lua---run_command-toolrisk surface
•Unrecognized file type — '.lua---tool-output---folds---can-be-folded' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-interactions-chat-tools-builtin-test_tool_output.lua---Tool-output---Folds---can-be-foldedrisk surface
•Unrecognized file type — '.lua---tool-output---folds---does-not-fold-single-line-output-but-applies-extmarks' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-interactions-chat-tools-builtin-test_tool_output.lua---Tool-output---Folds---does-not-fold-single-line-output-but-applies-extmarksrisk surface
•Unrecognized file type — '.lua---tool-output---is-displayed-and-formatted-in-the-chat-buffer' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-interactions-chat-tools-builtin-test_tool_output.lua---Tool-output---is-displayed-and-formatted-in-the-chat-bufferrisk surface
•Unrecognized file type — '.lua---reasoning-folds---creates-fold-from-header+1-to-before-response-header' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-interactions-chat-ui-test_fold_reasoning_output.lua---Reasoning-folds---creates-fold-from-header+1-to-before-Response-headerrisk surface
•Unrecognized file type — '.lua---reasoning-folds---preserves-earlier-folds-when-adding-a-new-reasoning-fold' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-interactions-chat-ui-test_fold_reasoning_output.lua---Reasoning-folds---preserves-earlier-folds-when-adding-a-new-reasoning-foldrisk surface
•Unrecognized file type — '.lua---cmds----codecompanionchat' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-test_cmds.lua---cmds----CodeCompanionChatrisk surface
•Unrecognized file type — '.lua---cmds----codecompanionchat-toggle' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-test_cmds.lua---cmds----CodeCompanionChat-Togglerisk surface
•Unrecognized file type — '.lua---cmds_tab----codecompanionchat-toggle-goes-to-chat-from-any-other-tab' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-test_cmds.lua---cmds_tab----CodeCompanionChat-Toggle-goes-to-chat-from-any-other-tabrisk surface
•Unrecognized file type — '.lua---cmds_tab----codecompanionchat-toggle-goes-to-last-tab-from-chat' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-test_cmds.lua---cmds_tab----CodeCompanionChat-Toggle-goes-to-last-tab-from-chatrisk surface
•Unrecognized file type — '.lua---cmds_tab----codecompanionchat-opens-in-tab-when-set-in-config' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-test_cmds.lua---cmds_tab----CodeCompanionChat-opens-in-tab-when-set-in-configrisk surface
•Unrecognized file type — '.lua---cmds_tab_sticky----codecompanionchat-doesnt-follow-if-sticky-is-set' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-test_cmds.lua---cmds_tab_sticky----CodeCompanionChat-doesnt-follow-if-sticky-is-setrisk surface
•Unrecognized file type — '.lua---diff---inline-integration-test---example-1' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-test_diff.lua---Diff---Inline-Integration-Test---Example-1risk surface
•Unrecognized file type — '.lua---diff---integration-test---example-1' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-test_diff.lua---Diff---Integration-Test---Example-1risk surface
•Unrecognized file type — '.lua---diff---integration-test---example-2' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-test_diff.lua---Diff---Integration-Test---Example-2risk surface
•Unrecognized file type — '.lua---diff---integration-test---example-3' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-test_diff.lua---Diff---Integration-Test---Example-3risk surface
•Unrecognized file type — '.lua---cli()---prompt=true-opens-the-input-buffer' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-test_init.lua---cli()---prompt=true-opens-the-input-bufferrisk surface
•Unrecognized file type — '.lua---ui-create_float-screenshots---creates-new-buffer-with-content' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-utils-test_ui.lua---UI-create_float-Screenshots---Creates-new-buffer-with-contentrisk surface
•Unrecognized file type — '.lua---ui-create_float-screenshots---uses-existing-buffer-without-overwriting-content' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/screenshots/tests-utils-test_ui.lua---UI-create_float-Screenshots---Uses-existing-buffer-without-overwriting-contentrisk surface
•Unrecognized file type — '.example' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/scripts/tool_testing/config.local.lua.examplerisk surface
•Unrecognized file type — '.expected' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/scripts/tool_testing/scenarios/insert_edit_into_file/adjacent_edits.lua.expectedrisk surface
•Unrecognized file type — '.input' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/scripts/tool_testing/scenarios/insert_edit_into_file/adjacent_edits.lua.inputrisk surface
•Unrecognized file type — '.jsonl' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/stubs/acp/permission_two_step.jsonlrisk surface
•Unrecognized file type — '.rules' is not on the allowlist · olimorris-codecompanion.nvim-c8bd2d0/tests/stubs/rules/.rulesrisk surface
✔ verified source · pinned olimorris-codecompanion.nvim-c8bd2d0
Check against a policy

The same gate an agent runs before installing (POST /api/v1/trust/codecompanion-nvim/check). Click a policy:

Consume CodeCompanion.nvim programmatically. Authenticate with an API key or session — see Authorize an agent.

# Agents: CHECK BEFORE YOU INSTALL (no auth) — score, grade, level, capability manifest
curl https://ai-supply.store/api/v1/trust/codecompanion-nvim

# Gate against your org policy (returns { pass, violations })
curl -X POST https://ai-supply.store/api/v1/trust/codecompanion-nvim/check \
  -H "Content-Type: application/json" \
  -d '{"minGrade":"B","denyPermissions":["shell"],"denyUnknownEgress":true}'

# CLI
npx ai-supply add codecompanion-nvim

# REST (install → download)
curl -X POST https://ai-supply.store/api/v1/listings/codecompanion-nvim/install \
  -H "Authorization: Bearer $AIM_KEY"

# MCP tool
install_listing({ "slug": "codecompanion-nvim" })
OpenAPI spec →
vlatest
✓ Security: Safe · 10017h ago

Curated mirror — latest upstream source. See the repository for tagged releases.

Sign in and install this listing to leave a review.

More from @ai-supply

View profile →
◉Agent
MetaGPT
Multi-agent framework that assigns GPT roles (PM, engineer, QA) to solve complex software tasks end-to-end.
↓ 1.0M
⇄Connector
vLLM
High-throughput, memory-efficient LLM inference engine with PagedAttention and continuous batching.
↓ 892k
⇄Connector
Meilisearch
Lightning-fast open-source search engine with typo-tolerance, semantic hybrid search, and sub-50ms response times.
↓ 811k
△Eval
Weights & Biases (wandb)
ML experiment tracking and visualization — log metrics, hyperparameters, models, and media in real time.
↓ 784k
ai-supply.store

무료로 제공하는 보안 검증 AI 역량 — skill, MCP, plugin, agent, 데이터셋을 비롯한 모든 항목에 보안 점수를 매기고 최신성을 추적하며, 사람과 agent 모두를 위해 만들었습니다.

api · v3.1status · all green
문의하기
support@ai-supply.storesecurity@ai-supply.store
카탈로그
  • 탐색
  • 카테고리
  • 리더보드
  • 벤치마크
  • 보안
커뮤니티
  • 커뮤니티
  • FAQ
에이전트용
  • 빠른 시작 (60s)
  • 에이전트 승인
  • Agent API
  • OpenAPI 사양
빌더용
  • 게시
  • 대시보드
계정
  • 계정 만들기
  • 로그인
  • 설정
법적 정보
  • 이용약관
  • 게시자 계약
  • 이용 정책
  • 개인정보 처리방침