Run the full open-source AI pen-testing toolkit against your agents, LLMs, repos, and cloud — in CI, on every PR. No sales call. No 6-month procurement cycle.
npx nixer scan https://github.com/your-org/your-agent
Hardcoded OpenAI API key in test fixtures
Tool description allows prompt injection via untrusted input
Unauthenticated MCP server — arbitrary tool execution risk
Unpinned third-party action — supply chain attack surface
Anthropic API key in env config committed to repo
torch.load() without weights_only=True — pickle RCE risk
System prompt overridable via user input in chat endpoint
MCP tool allowlist missing — all tools callable by agent
Hardcoded OpenAI API key in test fixtures
Tool description allows prompt injection via untrusted input
Unauthenticated MCP server — arbitrary tool execution risk
Unpinned third-party action — supply chain attack surface
Anthropic API key in env config committed to repo
torch.load() without weights_only=True — pickle RCE risk
System prompt overridable via user input in chat endpoint
MCP tool allowlist missing — all tools callable by agent
Paste a GitHub URL or agent config. Get severity-ranked findings with exact file paths and remediation steps. No signup required.
Open the scanner →src/agent.js:14
OpenAI API key found in source file committed to repository. Key begins sk-proj-…. Immediately rotatable.
src/tools/browser.js · src/tools/email.js
Agent passes raw user input to 3 tool calls without sanitization. An attacker can inject instructions via user message to exfiltrate data or send emails.
src/models/load.py:34 · models/classifier.pt
Model loaded with unsafe pickle deserialization. A malicious .pt file can embed arbitrary Python via GLOBAL opcodes — same vector as the 2022 PyTorch nightly compromise.
weights_only=True in torch.load(). Migrate to safetensors format. Verify SHA-256 before loading.
requirements.txt:18
Package 2 edits away from the legitimate langchain. Typosquatted ML packages often run exfil code on pip install.
langchain. Audit existing install for unexpected network calls.
.github/workflows/ci.yml:31
Action pinned to a mutable tag — the same vector used in the 2023 tj-actions supply-chain attack that exfiltrated CI secrets from thousands of repos.
uses: tj-actions/changed-files@<sha>. Use Dependabot to keep pins updated.
Four attack surfaces, four dedicated tools. Every scan runs all of them against your target simultaneously.
MCP endpoint enumeration, tool permission chain audit, unauthenticated endpoint detection, privilege escalation paths, and agent-to-agent trust boundary mapping.
Prompt injection probes against raw user input paths, system prompt leakage tests, jailbreak surface detection, and unvalidated tool call chains that allow data exfiltration.
Secrets and API key detection across commit history, hardcoded credential scanning, dependency confusion checks, unsigned artifact warnings, and GitHub Actions workflow audits (pwn-request, script injection, unpinned actions).
Auth endpoint fuzzing, rate-limit absence detection (credential stuffing risk), missing account lockout, and login flow anomaly detection for AI-facing APIs.
Security tools shouldn't require a 6-month sales cycle to ship safely. Nixer is built for the engineer who finds their agent has a prompt injection vulnerability at 11pm on a Friday — not for the CISO presenting to the board on Tuesday.
npx nixer scan your repo right now, no signup required
"Security tools shouldn't require a 6-month sales cycle to ship safely."
Try it in 30 seconds →One command. Every PR. Automatic.
name: Security Scan
on: [push, pull_request]
permissions:
security-events: write
contents: read
jobs:
nixer:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Nixer security scan
uses: Polsia-Inc/nixer-action@v1
with:
api-key: ${{ secrets.NIXER_API_KEY }}
scan-targets: ./
severity-threshold: high
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: nixer.sarif
Findings appear as PR annotations + in the GitHub Security tab. Fails on high/critical. Add NIXER_API_KEY to repo secrets.
$ npx nixer scan https://github.com/your-org/your-agent
Nixer Security Scanner
──────────────────────────────────────────────────
Target : https://github.com/your-org/your-agent
Type : repo_url
Fail on: critical
Starting scan... started (id: 42)
Scan Results
──────────────────────────────────────────────────
Status : completed
Findings: 3 total
1 critical 2 medium
[secrets-scan]
CRITICAL Exposed OpenAI API Key
src/agent.js:14
Detected OpenAI API Key in src/agent.js:14
Fix: Remove or rotate this credential immediately.
FAIL — findings at critical or above. Exiting non-zero.
Works on GitHub URLs, local files, or raw JSON configs. No install — just npx.
Nixer outputs SARIF 2.1.0 by default. One extra step and findings land in the GitHub Security tab — inline on PR diffs, with file:line precision, severity colours, and remediation right where your team reviews code.
Polsia-Inc/nixer-action@v1 — writes nixer.sarif automatically
github/codeql-action/upload-sarif@v3 pointing at nixer.sarif
security-events: write + contents: read permissions
security-events: write is the #1 reason SARIF upload fails silently. The quickstart workflow has this right.
Exposed OpenAI API Key
Unvalidated Tool Call Chain — Prompt Injection Surface
Pickle RCE — torch.load() Without weights_only=True
ML Package Typosquat: "langchian" ≈ "langchain"
permissions:
security-events: write # required — most teams forget this
contents: read
steps:
- uses: actions/checkout@v4
- name: Run Nixer scan
uses: Polsia-Inc/nixer-action@v1
with:
api-key: ${{ secrets.NIXER_API_KEY }}
scan-targets: ./
severity-threshold: high
# format: sarif ← default, writes nixer.sarif
- name: Upload to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: nixer.sarif
category: nixer
Offensive security isn't a feature checklist. It's a mindset. Nixer is built by operators who've found what attackers find — and believe defenders deserve the same tooling.
Latest: We scanned the top 50 OSS AI repos. The results are not encouraging. →
Governance platforms watch your agents. Nixer attacks them. We test for the exploit, not the policy violation.
Proprietary tools have blind spots. Open-source tooling evolves with the threat landscape. Nixer orchestrates the best of it — no vendor lock-in, no black box.
We don't scan for 1,000 things and surface 5. We drill into the findings that matter — the ones that turn into breach stories.
Free tier for getting started. Paid plans for serious security work.