Audito
The supply-chain guardrail for the agentic coding era

Check every package before your AI agent installs it.

Audito plugs into Claude Code, Cursor, and any MCP client — flagging typosquats, deprecations, and known CVEs before they touch your lockfile, then fixing what's already there without leaving your workflow.

Works with
  • Claude Code
  • Cursor
  • Claude Desktop
  • any MCP client
  • Monitors
  • OSV.dev
  • npm
  • PyPI
  • crates.io
  • Go
Capabilities

Built for the way you actually ship now.

The agent picks the dependency. Audito makes sure the pick isn't a footgun — at install time, in CI, and forever after.

Headline

Pre-install guard

Your agent asks Audito before it writes a new dep. Typosquats, deprecations, known CVEs, and license mismatches get an allow / warn / block verdict with a plain-English summary — across npm, PyPI, crates.io, and Go.

Claude: I'll add colorss for ANSI colors.
AuditoBlocked

Likely typosquat of colors. Registered 6 days ago, 0 weekly downloads, no repo. Try chalk instead.

Whole-lockfile audit

Audit an entire lockfile in one call — npm, pnpm, yarn (classic + berry), requirements.txt, poetry, Pipfile, Cargo, and go.sum. Eight formats, one tool.

Headline

Agent-native remediation

Audito computes the nearest safe upgrade per CVE — a minimal, operator-preserving manifest edit and the exact per-ecosystem install command, with breaking changes flagged. Your agent applies it; you review and merge.

Bumplodash
^4.17.20 → ^4.17.21
Bumpnext
15.2.1 → 16.2.4
Bumpaxios
^1.6.0 → ^1.7.4

CI gate on every PR

A GitHub Action and an installable App post an Audito Check Run with inline per-package annotations. Malware and CRITICAL/HIGH block; the App can open remediation PRs.

Daily scan + real-time alerts

A daily OSV.dev scan keeps your inventory current; CRITICAL and HIGH findings email you immediately — not at the end of the week.

23open findings
−8 · 7d
1 Critical3 High7 Medium12 Low

Policy, posture & digest

License allow / warn / block on SPDX IDs, 30-day posture trends, a findings inbox with accept / dismiss / snooze triage, and a Monday digest of what changed.

See all features
How it works

Three steps. The dashboard is the report; your agent is the workspace.

  1. 01

    Connect your agent

    One line in Claude Code. Cursor and Claude Desktop work too over mcp-remote. Authenticate with an audt_… token — no SDK, no CI step required.

    claude mcp add audito --remote …
  2. 02

    It checks every dep

    Pre-install, the agent asks Audito before writing the package. Post-install, a daily scan keeps watching what's already there and alerts you when something new lands.

  3. 03

    It fixes them too

    Audito returns the nearest safe upgrade; your agent applies it, or the GitHub App opens a draft remediation PR. You review and merge.

  • Works with Claude Code & Cursor
  • npm · PyPI · crates.io · Go
  • Powered by OSV.dev
  • No CI plumbing required

Free to start. $5 / seat when you grow.

Free covers 3 libraries on npm + PyPI with real-time alerts. Pro unlocks lockfile audits, the GitHub CI gate, all four ecosystems, and license policies — 14-day free trial, no card, starting at signup.

See pricing
14-day free trial · no card

Stop trusting your agent's package picks blindly.

Connect Audito to Claude Code or Cursor in a minute. The next package your agent reaches for, you'll know whether it's safe before it lands.