JSPM

Vite plugin that checks dependencies for supply-chain and maintenance risks.

package-lock.json for MCP trust — scan MCP servers for tool poisoning, secret leaks, and silent tool rug-pulls, with a committed, reviewable lockfile.

PM AID -- AI agent defense scanner. 73 JS-native modules across prompt injection, secret exposure, supply chain, OSINT, vault hardening, and the AI-agent-runtime surface. Self-hosted. Offline-verified license. One-time ownership.

Read-only PolinRider / Glassworm supply-chain malware (IOC) scanner — use as a library in CI/pipelines or as a CLI to scan local files and folders

A deterministic proof layer for verifying AI-generated and human patches before merge.

Install AI-agent Skills & MCP servers with a verified, independent SaferSkills trust score — across Claude Code, Cursor, Windsurf, Copilot, Codex, Gemini, Cline & OpenClaw.

Make your AI coding agent dependency-security aware. Checks your project's dependencies against known CVEs so your agent can fix what it introduced — before merge.

Block obfuscated build/commit-time code-injection payloads (hidden long-line JS stagers) before they enter your repo. Zero dependencies. Works as a pre-commit hook, in CI, or standalone.

Anonymous, zero-account, zero-dependency software composition analysis for CI — vulnerabilities, supply-chain/typosquat, licenses & malware. Never uploads your source.

Resolve a pnpm lockfile whose entire dependency tree (direct + transitive) excludes versions published after a cutoff — a transitive minimumReleaseAge / uv-style --exclude-newer for pnpm.