Catch the bugs Cursor and Claude Code leave in your repo.

VettIQ is the security scanner built for AI-generated code. Six-stage AI pipeline reviews every commit, generates fixes, and verifies them — before you ship to production.

Scan your repo freeSee pricing

Securing code isn't enough anymore.

AI agents install skills the same way users install browser extensions — without reading the fine print. VettIQ now scans ClawHub skills before they run inside your agents.

Scan a ClawHub Skill

1,257+ MCP Servers. Risk-Scored. Updated Every 6 Hours.

Every public MCP server on GitHub — scanned by Snyk, Cisco Kenna, Semgrep, and VirusTotal. Search before you connect anything to your agent.

Search the Directory
FREE

Blueprints

Security Rules for AI Coding Tools

Drop a rules file into your project and your AI coding tool enforces security patterns automatically. Prevent the 9 most common vulnerabilities before they are written.

Blueprints are stack-specific security rules files that plug directly into AI coding assistants like Cursor, Claude Code, and Windsurf. Each blueprint encodes the OWASP Top 10 mitigations for a given stack — Next.js + Supabase, Python + FastAPI, and more — so your AI assistant writes secure code by default instead of generating vulnerabilities you have to find later. They are open source, require no account, and install with a single copy-paste command.

Works with Cursor, Claude Code, Windsurf
One-command install
Open source, free forever
Get a Blueprint

Code Security

Multi-LLM Vulnerability Scanner

Catch vulnerabilities that Cursor, Copilot, and AI-generated code introduce — before they ship. A five-stage pipeline scans every file through detection, deep analysis, adversarial checking, fix generation, and verification.

Built for developers and security teams who ship AI-generated code to production. Unlike traditional SAST tools that pattern-match against known CVEs, VettIQ uses multiple LLMs in sequence — each model independently analyzes your code, and only findings that reach 60% consensus across models get reported. This eliminates the false-positive noise that makes most security scanners unusable. The pipeline also generates verified fix suggestions so you can remediate in seconds, not hours.

Code Pipeline
99.7% OWASP Top 10 detection
Multi-LLM consensus pipeline
<2s per file
Explore Code Security
FREE

Free Public Scanner

Try VettIQ on any public GitHub repo. No signup, no credit card. See exactly what Cursor and Claude Code missed in 60 seconds.

Try the scanner

Two Attack Surfaces. One Scanner.

Your Code

Cursor and Claude Code ship fast. Security doesn't keep up. VettIQ catches what they miss — hardcoded secrets, injection flaws, unsafe dependencies — before your code ships.

Scan a Repo
Your Agent's Tools

36% of ClawHub skills contain detectable prompt injection. VirusTotal can't read a SKILL.md. VettIQ can.

Scan a Skill

How VettIQ Works

Code Security Pipeline

When you submit code for scanning, VettIQ runs it through a five-stage sequential pipeline. Each stage uses a different LLM to analyze your code independently, so no single model's blind spots can cause a missed vulnerability.

  1. 1

    Detection

    The first model scans for OWASP Top 10 vulnerabilities, hardcoded credentials, injection flaws, and insecure dependencies. It produces an initial list of candidate findings with severity ratings.

  2. 2

    Deep Analysis

    A second model examines each candidate finding in context — analyzing data flow, authentication boundaries, and business logic to determine whether the vulnerability is reachable and exploitable.

  3. 3

    Adversarial Review

    A third model actively tries to disprove each finding. It looks for mitigating controls, framework-level protections, and environmental factors that might make a reported vulnerability a false positive.

  4. 4

    Fix Generation

    For every confirmed vulnerability, a fourth model generates a concrete fix — actual code you can apply, not a generic recommendation. Fixes are scoped to the minimum change needed to remediate the issue.

  5. 5

    Verification

    A final model verifies that the proposed fix actually resolves the vulnerability without introducing regressions. Only findings that survive all five stages and reach 60% cross-model consensus are reported.

MCP Directory Pipeline

VettIQ continuously discovers and scans every public MCP server on GitHub. New servers are detected every six hours and immediately queued for analysis through a four-scanner vetting pipeline.

  1. 1

    Discovery

    An automated crawler indexes GitHub for repositories that implement the Model Context Protocol. New servers are added to the queue within six hours of publication.

  2. 2

    Dependency Scanning

    Snyk and Semgrep analyze the server's dependency tree and source code for known CVEs, insecure coding patterns, and supply-chain risks. Cisco Kenna provides exploit-prediction scoring.

  3. 3

    Threat Intelligence

    VirusTotal cross-references the repository against known malware signatures, and results are enriched with data from CISA KEV, GitHub Security Advisories, and the OSV database.

  4. 4

    Risk Scoring

    Scanner results are aggregated into a weighted risk score from 0 to 100. Each server receives a status — approved, guardrails recommended, or rejected — so you can make an informed decision before connecting it to your AI agent.

1,257+
MCP Servers
Scanned
4
Security Scanners
per Server
99.7%
OWASP Top 10
Detection Rate
1,184+
Confirmed Malicious
ClawHub Skills
36%
Skills Contain Detectable
Prompt Injection
300K
AI Credentials Exposed from
Compromised Agents

“VettIQ caught a hardcoded service key in our Supabase integration that Cursor generated and our team missed entirely.”

— Beta tester, AI-first SaaS team

MCP Trust Directory

The MCP Ecosystem Has a Trust Problem

Thousands of MCP servers on GitHub. No security standards. No vetting process. Developers are adding untrusted code directly into their AI coding workflows.

VettIQ scans every public MCP server automatically — Snyk, Cisco Kenna, Semgrep, and VirusTotal — and publishes the results so you can trust what you install.

Browse the MCP Directory

4 Scanners

Snyk, Cisco Kenna, Semgrep, and VirusTotal on every server

Risk Scored

Weighted 0–100 risk score with approved, guardrails, or rejected status

Threat Intel

Cross-referenced against CISA KEV, GitHub Advisories, and OSV

Always Current

Discovery runs every 6 hours — new MCP servers scanned automatically

AI writes vulnerable code

68% of codebases contain vulnerabilities. VettIQ Code Security catches them before they ship.

AI agents run without guardrails

AI agents install third-party MCP servers without vetting. VettIQ scans every one before it enters your sandbox.

One platform, full coverage

Secure your development and your deployments from a single dashboard.

Powered by Snyk, Semgrep, and VirusTotal scanning engines

Multi-LLM consensus pipeline with 6-stage analysis

The Cost of Shipping Unscanned AI Code

$3.31M
Median cost of a small business data breach
(IBM 2024)
6–100x
More expensive to fix in production than pre-deploy
(NIST)
45–90 min
Manual security review per file. VettIQ: under 2 min.

AI coding tools ship features fast. They also skip security fundamentals consistently — missing database access controls, credentials in client code, no rate limiting on auth endpoints. These aren't random mistakes. They're the same nine patterns, every codebase, every tool. VettIQ finds them before they reach production.

Building with AI coding tools?

Catch the vulnerabilities Cursor and Claude Code introduce

Explore Code Security

Deploying AI agents with MCP?

Vet every server before it runs inside your agent sandbox

Browse MCP Directory
Use CasesVettIQ vs Traditional SASTBlog