Supply chain risk analysis
for AI agents.
Every package version scored across five risk dimensions — at the moment your agents reach for it.
Five dimensions of risk
Gradient scores from 0–1 across every facet that matters. Not a pass/fail.
Does the package declare a recognized open source license? Missing or non-standard licenses create legal risk.
Is the package actively maintained? Scores release cadence and history to flag abandoned or declining projects.
Who controls the package? Detects maintainer changes, single-publisher risk, and signs of account takeover.
What can the code do? Surfaces eval, system calls, network access, and other capabilities you should know about before shipping.
Does the package try to manipulate AI tools? Detects text designed to hijack coding assistants, review bots, or RAG pipelines.
Integrate in minutes
Two ways to consume analysis — MCP for AI coding agents, REST API for CI pipelines.
MCP Server
Exposed as MCP tools so AI coding agents can query supply chain risk before suggesting or upgrading dependencies. Works with Claude, Cursor, and any MCP-compatible agent.
- check_packages — risk scores, signals, and policy evaluation for 1 to 500 packages
REST API
Score every dependency in your lockfile before it reaches production.
- POST a lockfile subset to check
- Each org billed once per version per period
- Block deploys on high-risk scores in CI
Start analyzing for free
Create an account, generate an API key, and integrate in under five minutes.