Assay reasons about an artifact with an LLM — not regex — to catch prompt injection, credential exfiltration, and MCP tool poisoning in Claude Code plugins, MCP servers, hooks, skills & connectors. It runs on your Claude Code subscription, so there's no separate API key.
Before you install a plugin or wire up an MCP server, Assay threat-models what it could do, then reads the code for evidence — every finding backed by a verbatim file:line quote. It gives a safe / caution / unsafe verdict you can trust, because a post-validator re-reads each citation and drops anything the model can't back with real code.
Build from source today, or the prebuilt curl / Homebrew / WinGet / Docker channels.
Inventory your stack, run a scan from the web UI or CLI, and gate installs.
The 5-stage methodology, the two scan modes, and the threat classes it targets.
How it differs from Snyk / Cisco, whether it needs an API key, tool poisoning, and more.
# build the single binary (React UI embedded)
git clone https://github.com/chawdamrunal/assay.git && cd assay
make build && make install
# see what's installed in ~/.claude, then scan from the web UI
assay inventory
assay serve # http://localhost:7373 → "New Scan"
Full details in Installation and Quickstart.
claude -p — no separate Anthropic API key, and no rate-limit walls. An API key is only needed for the --scan-mode legacy / CI fallback.