Those focus on dependency CVEs or network-level guardrails. Assay reasons about the artifact's behavior with an LLM — it threat-models what a Claude Code plugin or MCP server can actually do, then reads the code for evidence, with every finding backed by a verbatim file:line quote (confabulations are re-read and dropped).
No. Default mode runs on your existing Claude Code subscription via claude -p. An API key is only needed for the --scan-mode legacy / CI fallback, or the deterministic --no-llm tier (which needs no key at all).
An MCP server that passes review, then later mutates a tool description to smuggle malicious instructions to the agent. It's one of the AI-dev-stack threat classes Assay models — see How it works and the threat model.
Yes — point it at github.com/owner/repo (or the clone-style …/repo.git). Public repos need nothing; private ones resolve a token from the OS keychain, GITHUB_TOKEN/GH_TOKEN, or gh auth token. See Quickstart.
Only the snippets Assay chooses to read are sent to the reasoning model (Claude Code, or the Anthropic API in legacy mode). Nothing else. Verdicts can be signed in the JSON output, the tool layer is sandboxed under a per-call target root, and any policy file is loaded from your side — never from inside the scanned artifact, so a malicious plugin can't suppress its own findings.
A single self-contained Go binary with the React UI embedded — macOS, Linux, WSL, and Windows. It exposes three roles from one binary: the CLI, the assay serve web server, and the assay mcp MCP server that Claude Code drives.