tanav.ai
MCP Server36790% risk
Skill file21398% risk
Hook184100% risk
Agent176100% risk
Plugin11799% risk
MCP config9696% risk
Copilot rules4388% risk
MCP Server36790% risk
Skill file21398% risk
Hook184100% risk
Agent176100% risk
Plugin11799% risk
MCP config9696% risk
Copilot rules4388% risk
AI supply chain security
Your AI agents run on code you haven't verified.
MCP serversSkillsHooksAgentsPluginsCursor rulesKiro specsCopilot instructions+ ever expanding
2560
Scanned
repos
579
Critical
score ≥80
307
High
55–79
1150
Medium
30–54
14
Clean
no findings
Enterprise pilots open — get early access
top findings · click to inspect
criticalAI confirmed
kubectl execSync without validation — arbitrary shell execution via KUBECONFIG_COMMAND env var
kubernetes/mcp-server
highAI confirmed
Credentials embedded in docs URL — 1.06M weekly installs at risk
@upstash/context7-mcp
1.06M/wk
npm package — click to view in Registry
criticalAI confirmed
vm sandbox escape + wildcard hook — untrusted code executes in Claude context
affaan-m/everything-claude-code
sort:
RepositoryActionsScoreFindingsArtifacts
tanav.ai · AI supply chain security · 2026