Assay

We pointed Assay at OpenAI, Kubernetes,Shopify, and Cloudflare.

It found vulnerabilities in all of them.

OpenAICRITICAL
CWE-94

RCE via vm.Script sandbox escape

JavaScript
Buffer.from('').constructor.constructor('return process')()
Found and reported
KubernetesHIGH
CWE-918

SSRF chain across kubeadm discovery endpoints

Go
// RetrieveValidatedConfigInfo — httpsURL passed with no host validation
client.Get(httpsURL)  // user-controlled, full response consumed
Found and reported
KubernetesHIGH
CWE-22

Path traversal to root code execution in GCI mounter

Go
path, _ := filepath.Split(os.Args[0])  // attacker controls argv[0]
rootfsPath := filepath.Join(path, rootfs)
// then: exec.Command("chroot", rootfsPath, "/bin/mount", ...)
Found and reported
CloudflareHIGH
CWE-918 / CWE-284 / CWE-601

SSRF + CORS + Open Redirect chain

TypeScript
const remote = requestHeaders.get("X-CF-Remote");
await fetch(switchRemote(url, remote), { ... })  // no assertValidURL() call
Found and reported
CloudflareHIGH
CWE-732

OAuth tokens written world-readable

TypeScript
writeFileSync(path.join(configPath), TOML.stringify(config), {
  encoding: "utf-8",  // missing mode option — defaults to 0o644 via umask
});
Found and reported
ShopifyMEDIUM
CWE-338

Predictable CSP nonce via Math.random fallback

TypeScript
// Falls back to Math.random() when crypto.getRandomValues() throws
return new Uint8Array(16).map(() => (Math.random() * 255) | 0);
Found and reported
ShopifyMEDIUM
CWE-338

Weak OAuth state parameter

TypeScript
const randomString = Math.random().toString(36).substring(2)
// Same file correctly uses crypto.getRandomValues() elsewhere
Found and reported
Next.js/VercelMEDIUM
CWE-352

CSRF wildcard origin bypass

TypeScript
// Guard intended to block *.com — but *.com has length 2, bypasses check
if (patternParts.length === 1 && patternParts[0] === '**') return false
Found and reported
npx tryassay assess .Run it on your code.

Not just big targets. Real developers. Real repos.

TurfUmpire91/100

Cricket scoring app — Next.js + Supabase

205 claims verified18 bugs found
2 critical1 high15 medium
View full report →

Drop a repo. We'll scan it free. Join the community →

Human-built code scores 91. Here's what AI platforms score.

Bolt.new
0/100
Lovable (App 1)
0/100
Lovable (App 2)
0/100
Replit
0/100

4 platforms verified. 21 bugs found. 0 passed.

How it works

1Extract

Reads your codebase. Identifies every implicit claim the code makes. "This endpoint validates input." "This auth check prevents bypass." "This query is parameterized."

2Verify

Tests each claim against the actual implementation. Cross-references code paths, checks for gaps between intent and behavior.

3Report

Scores the codebase. Maps every claim to pass, partial, or fail. Links bugs to exact file and line.

Benchmarks →What we check →Docs →

Run it

CLInpx tryassay assess .
GitHub Actionuses: gtsbahamas/hallucination-reversing-system/github-action@main
Free Scan

Drop a GitHub URL and we'll run it for you. Join the community →

View pricing →