Reasons about an artifact with an LLM — not regex — to catch prompt injection, credential exfiltration, and MCP tool poisoning in Claude Code plugins, MCP servers, hooks, skills & connectors.
Runs on your Claude Code subscription — no separate API key required.
📚 Documentation · Install · Quickstart · How it works · FAQ
▶ Demo video
Tool.Demo.mp4
Before you install a plugin or wire up an MCP server, Assay threat-models what it could do, then reads the code for evidence — every finding backed by a verbatim file:line quote.
- Reasons, doesn't pattern-match — an LLM builds a threat model before it reads source, so the review is hypothesis-driven, not regex.
- Catches AI-native threats — prompt injection, MCP tool poisoning, credential exfiltration, hook abuse, capability-vs-claim mismatch.
- No confabulation — a post-validator re-reads every citation and drops anything the model can't back with real code.
- Runs on your subscription — default mode drives Claude Code via
claude -p; no separate API key, no rate-limit walls. - One binary, three roles — the CLI, the
assay serveweb UI, and theassay mcpserver Claude Code drives.
Verdict: safe / caution / unsafe, written as audit.json + audit.md.
git clone https://github.com/chawdamrunal/assay.git && cd assay
make build && make install # single binary, React UI embedded
assay inventory # what's installed in ~/.claude
assay serve # http://localhost:7373 → "New Scan"Full guide → Installation · Quickstart.
The full docs live at chawdamrunal.github.io/assay:
- Installation — build from source, curl / Homebrew / WinGet / Docker, auth
- Quickstart — scan from the web UI or CLI, the pre-install gate, private GitHub repos
- How it works — the 5-stage methodology, both scan modes, threat coverage
- FAQ — vs. Snyk / Cisco, API-key needs, tool poisoning, source privacy
Deeper references in-repo: ARCHITECTURE.md · threat model · CHANGELOG.md.
Pre-1.0, under active development. The MCP-server architecture is the default scan path; the legacy in-process orchestrator remains as an API-key / CI fallback. Report a security issue in Assay itself via SECURITY.md.
See CONTRIBUTING.md. TDD-disciplined; every finding must cite a verbatim quote — enforced at runtime and in review.
Apache-2.0. See LICENSE.