Point Assay at a plugin, an MCP server, a local directory, or a GitHub repo. The web UI drives scans through your Claude Code subscription; the CLI can also run a deterministic, no-key pre-pass.
# Inventory what's installed in ~/.claude
assay inventory
# Web UI (default mode: scans run via your Claude Code subscription)
assay serve
# open http://localhost:7373 → click "New Scan" → pick a target
# Scan every installed plugin in parallel (fleet mode)
assay scan-all --parallel 2
# In Claude Code itself
/assay-scan ~/.claude/plugins/my-plugin
# Standalone CLI (legacy mode — direct Anthropic API call, needs a key)
assay scan ~/.claude/plugins/my-plugin
# Fast deterministic pre-pass only (no LLM call, <2s)
assay scan --quick --json ~/.claude/plugins/cache/<m>/<plugin>/<version>
Intercept /plugin install in Claude Code so nothing lands unscanned:
assay hook install
Every install then runs assay scan --quick and returns a decision before it commits — deny on critical/high, ask on medium, allow (with a deep scan in the background) on low. It's the 30-second risk briefing at the exact moment you're about to trust something.
Ask in the chat ("is github.com/acme/plugin safe?") or paste a URL into the New Scan box — Assay clones to a quarantined cache and scans the checkout. Public repos need nothing. For a private repo it resolves a token in priority order, each time a clone needs auth:
GITHUB_TOKEN / GH_TOKEN environment variablegh auth token — the GitHub CLI, when you're logged ingithub.com and injected via git's env-config, so it never lands in the process list, the clone URL, or .git/config. A fine-grained, read-only Contents token is recommended. Both https://github.com/owner/repo and the clone-style …/repo.git URL work.git clone can'tassay scan-all aggregates verdicts and surfaces newly-unsafe plugins across the fleet.