Koidex
Know if a package, extension, or AI model is actually safe
674 followers
Know if a package, extension, or AI model is actually safe
674 followers
Koidex helps you answer one question fast: "Is this safe to install?". Search extensions, code packages, and AI models across VS Code, JetBrains, npm, and Hugging Face. You can also install the Koidex IDE extension for real-time background scanning in Cursor and Windsurf. Free, no setup.
Koidex
👋 Hey Product Hunt! I’m Amit, Co-founder of Koi.
Today we’re launching Koidex. It helps you quickly check whether a package, extension, or AI model looks safe before it enters your stack.
Try it here: Koidex → https://dex.koi.security/?ref=producthunt
📖 Why We Built It
We’re the research team behind the discoveries of GlassWorm, ShadyPanda, and PhantomRaven, and we’ve seen how easily malicious code hides in “normal” developer tooling.
To prove how fast these blind spots get targeted, we ran a blunt test: we published a harmless lookalike VS Code theme and saw installs from large-company networks within 30 minutes. The industry knows these threats exist, but workflows haven’t changed. That was the moment we realized: “one-click install” needs “one-click due diligence.”
💡 What You Can Do With Koidex Today
🔍 Unified Search: One place to check VS Code, Chrome, JetBrains, npm, and Hugging Face, and more.
🧠 Behavior-Based Scoring: Focuses on what the code actually does, not just what the listing claims.
🧾 Readable Risk Summaries: Vulnerabilities, deep dependencies, permissions, and publisher signals.
🐟 Catch of the Day: Fresh suspicious or malicious items spotted in the wild.
👨🏻💻 Koidex IDE Extension: Scans installed extensions and flags risky installs in real time across VS Code, Cursor, Windsurf, VSCodium, and more.
🎁 Product Hunt Launch Offer
First 200 registrants via the Product Hunt link get unlimited searches for 2 weeks. Sign up here: https://dex.koi.security/?ref=producthunt
🙏 What I’d Love Feedback On
What ecosystem should we evaluate next?
What’s the one signal you wish you had before installing something?
If you try it, drop a package, extension, or model you use and tell me if the rating matches your gut.
I’m here in the comments!
@amitassaraf
One question: do you plan to expand support for scanning MCP servers and AI agent tools? With the growing adoption of autonomous agents, that seems like the next big risk vector.
Koidex
@martingebara We’re opening early access for MCP scanning next week, and then expanding from there. If you want in, DM me what MCP/agent ecosystem you’re using and we’ll loop you in.
@amitassaraf do you provide APIs to give services to other 3rd parties?
@amitassaraf Hi Amit. I'm somewhat of a beginner in AI. Still learning the ropes, so I am curious to know how do you evaluate whether an AI model is safe? Are you checking for malicious code, biased outputs, or unsafe behaviors?
I appreciate your team building this. It's unfortunate that we can't trust the store front for all of these tools to verify the safety and validity, but in these trying times where AI can build and ship useful tools that can have a malicious purpose undisclosed it is helpful to know what a new type of virus/malware scan is being actively developed to provide another level of safety to all.
Koidex
@jaredepicpower Spot on, Jared. The “Install” is still a blind click for most people, and that’s exactly the gap Koidex is here to fix. Appreciate the support today 🙌
How does it exactly work? I tried to input name of a chrome extension but it said "No items found matching your search". Does that mean it is not safe?
Koidex
Hey @zerotox - thanks for checking it out 🙏
“No items found” doesn’t mean it’s unsafe. It just means we didn’t find a match for that search in the source you selected.
Which Chrome extension were you looking for (name or link)? If you drop it here, I’ll help you find it (and if it’s missing, we’ll add it).
@dnslavin It didn't work earlier, but I tried again now and it worked. Thank you.
Koidex
@zerotox amazing 😊
Documentation.AI
Congrats on launching. MCP seems to be enterprise feature. Is there a pricing for enterprise?
Koidex
Thanks @roopreddy !
Yes, MCP is enterprise today, but we’re planning to open it up to the community next week.
For enterprise pricing, it depends on scope. If you DM me a quick overview (approx. number of endpoints + which ecosystems you want covered), I’ll connect you with the right details.
Behavior-based scoring is the right call. Most registry security tools just check known CVE lists, but the real danger is packages that pass all the obvious checks and do something unexpected at install time. Focusing on what the code actually does rather than what the listing claims is a much stronger signal.
The IDE extension scanning installed extensions in real time is a nice touch - most developers don't revisit what they've already installed. One question: how does the scoring handle packages with legitimate but unusual permission patterns? Something like a build tool that needs file system access and network calls could look suspicious by the same heuristics that catch actual malware.
Koidex
@zzunkie Jeongki, you basically described the exact gap we’re trying to close :)
On the “legit but unusual permissions” part: we don’t treat broad access as automatically bad. A build tool needing filesystem + network is normal. What we look for is whether it makes sense for what the tool claims to be, and whether there are extra red flags around it (weird update patterns, obfuscation, sketchy publisher signals, unexpected behavior indicators, etc.). That’s usually where “overreach” shows up.
Also, we try to be transparent about it, so the score comes with the reasons and you can judge for yourself.
@dnslavin That makes sense. Scoring with visible reasoning is way better than a binary safe/unsafe flag. Developers will actually trust it if they can see why.
this sound really cool, congrats!
i'll test it on my WordPress MCP - https://www.npmjs.com/package/@respira/wordpress-mcp-server
Koidex
@respira thank you for the support!
ConnectMachine
Interesting. How do you find what is suspicious and what is safe though? What tech are you using on the backend? Asking to check the reliability.
Koidex
@syed_shayanur_rahman - great question! We don’t rely on a single signal.
Koidex scores risk using a mix of static + behavioral signals: permissions and capabilities, suspicious patterns (obfuscation, unusual install/update behavior), dependency and publisher signals, and known bad indicators. We also re-check items over time as versions change.
On the backend, it’s a pipeline that pulls listings + versions, runs analysis, and produces the score + explanation.