Koidex icon

Koidex

Identifies and removes security risks within software components including extensions, packages, applications, and models used by technical teams.

Reviewed by ToolWorthy Editors·updated 2 months ago

Pricing:Free + Premium
Jump to section

Latest reviewed tools

Airender icon

Airender

ListingVideo icon

ListingVideo

ChatGPT icon

ChatGPT

Seedream icon

Seedream

Pros & Cons

Pros

  • Public listing reports accessible without a paid plan; most lookups support anonymous browsing
  • Covers an exceptionally wide range of marketplaces (14+ and growing)
  • Agentic engine analyzes actual code rather than relying on reputation alone
  • Hourly marketplace rescans catch threats introduced through silent updates
  • Backed by active security research with documented real-world threat discoveries

Cons

  • Detailed code-level findings (specific vulnerabilities, secrets, malware indicators) are locked behind the enterprise tier
  • Enterprise pricing is not publicly disclosed; requires a sales conversation
  • Free tier lacks bulk or organization-wide scanning capabilities
  • API access is part of the enterprise platform (no publicly documented free-tier API)

Overview

Koidex is a free, publicly accessible software risk analysis platform built by Koi Security. It helps developers, security teams, and IT administrators quickly detect malicious or high-risk software before it reaches their endpoints—covering browser extensions, IDE plugins, npm packages, Python libraries, AI models, and MCP tools.

Unlike traditional security scanners that check reputations or signatures, Koidex is powered by Wings™, Koi's proprietary agentic AI risk engine. Wings™ analyzes what software is actually made of—examining code diffs, runtime behavior, publisher reputation, and update channels—rather than relying on surface-level labels. The result is risk scores and detailed reports for individual marketplace listings that you can search and review for free.

Koidex was launched on Product Hunt in February 2026 and covers over a dozen marketplaces out of the box, including Visual Studio Code, Chrome Web Store, npm, PyPI, Hugging Face, Cursor, and JetBrains Marketplace. Enterprise users gain access to deeper code analysis findings, policy enforcement, and remediation workflows through the full Koi Security platform.

Key Features

  • Wings™ Agentic Risk Engine — Analyzes the actual code composition and behavior of marketplace listings. Wings™ performs a full marketplace scan every hour (per official documentation), correlating code diffs, publisher changes, and network behavior to produce accurate risk scores rather than relying on reputation alone.

  • Multi-Marketplace Coverage — dex report pages currently verify coverage for Visual Studio Code, JetBrains, Chrome Web Store, Firefox Add-ons, Edge Add-ons, Cursor, and Windsurf. The Koi platform additionally claims coverage for npm, PyPI, Hugging Face, MCP registries, Office Add-ins, Homebrew, OpenVSX, and Visual Studio—availability and depth for these may require the enterprise tier.

  • Publisher Reputation Intelligence — Tracks each software publisher's cross-marketplace history, flagging ownership transfers, sudden behavioral changes, and impersonation attempts that often signal supply chain attacks.

  • Risk Reports per Listing — Each analyzed item receives a structured risk report. Free users see risk level (Low / Medium / High / Critical) and a basic Findings summary. Enterprise users additionally unlock Permissions analysis, in-depth code findings (secrets, vulnerabilities, external communications, dependencies), and license information.

  • Agentic Discovery & Inventory — Enterprise accounts can track every piece of marketplace-sourced software across an organization's endpoints the moment it appears, enabling continuous monitoring without manual auditing.

  • Remediation & Policy Controls — Enterprise features include one-click quarantine, version rollbacks, allow/block list enforcement, automated approvals for safe software, and integrations with SWG, EDR, MDM, and PAC file infrastructure.

Pricing & Plans

Koidex operates on a freemium model. The public-facing risk analysis tool at dex.koi.security allows anonymous browsing of public listing reports; some features or continued access may prompt sign-up.

Tier Price What's Included
Free (Koidex) $0 Risk level (e.g., Low / Medium / High / Critical), basic Findings summary, publisher reputation, public listing reports for verified marketplaces
Enterprise (Koi Platform) Contact Sales Permissions analysis, in-depth code findings (secrets, vulnerabilities, malware, external comms, licenses), endpoint discovery, policy management, automated remediation, API automations, SWG/EDR/MDM integrations

The free tier is genuinely useful for ad-hoc checks on individual extensions or packages. For organizations that need continuous monitoring, policy enforcement, and team-wide governance, the enterprise platform is required—pricing is available on request via a demo booking.

Best For

  • Security engineers who need a quick, zero-friction check on a browser extension or VS Code plugin before installing it
  • DevOps and platform teams evaluating npm or PyPI packages for supply chain risk
  • IT administrators at companies with policies around marketplace software who want a free first-pass scanner
  • AI developers and teams adopting MCP tools or Hugging Face models who want to verify model safety before deployment
  • Enterprise security teams looking for a unified endpoint governance platform that covers non-binary software EDRs cannot protect against

FAQ

Is Koidex completely free?

Most public listing reports on dex.koi.security can be browsed without a paid plan—you can view a listing's risk level, basic Findings summary, and publisher reputation at no cost. However, deep modules such as Permissions analysis and in-depth code findings are labeled Enterprise Only in the report UI, and continued or advanced access may prompt sign-up. The full Koi Security platform—with policy enforcement, endpoint discovery, and automated remediation—requires an enterprise agreement.

What marketplaces does Koidex support?

Koidex covers Visual Studio Code, JetBrains Marketplace, Chrome Web Store, Firefox Add-ons, Edge Add-ons, Cursor, Windsurf, npm, and PyPI on the free tier. Enterprise accounts additionally gain coverage for Hugging Face, MCP registries, Office Add-ins, Homebrew, OpenVSX, and Visual Studio.

How does the Wings™ risk engine work?

Wings™ is Koi's proprietary agentic AI risk engine. It performs a full scan of all supported marketplaces every hour, gathers publisher reputation across platforms, uses an LLM to compare a package's actual code against its stated functionality, runs dynamic analysis in a sandbox, and assigns a risk score. Scores are updated whenever a new version is published.

How is Koidex different from VirusTotal or traditional antivirus?

Traditional antivirus and tools like VirusTotal rely primarily on signature matching and reputation databases. Koidex analyzes the actual source code composition and runtime behavior of non-binary software—browser extensions, scripts, packages, and AI models—that EDRs typically cannot inspect. This makes it effective against novel threats and supply chain attacks introduced through legitimate-looking software updates.

Can I use Koidex to monitor my entire organization?

Organization-wide monitoring, endpoint discovery, and policy enforcement are part of the enterprise Koi Security platform, not the free Koidex tool. The free version is designed for individual, on-demand lookups. Contact Koi to book a demo if you need fleet-wide coverage.

Does Koidex require installing any software?

The core Koidex experience is web-based—you can look up public reports at dex.koi.security without installing anything, and most reports are accessible without creating an account. Koi also offers IDE extensions for VS Code, Cursor, and Windsurf that surface risk information directly in your editor; those extensions require a Koi account to function.

Is my search data private when I use Koidex?

Koidex is a public lookup tool and many reports can be accessed without logging in. That said, as with any web service, server-side logging (IP address, query terms) may occur even for anonymous users. For sensitive software inventories, Koi enterprise deployments use dedicated, isolated customer tenants. Refer to Koi's official privacy policy for authoritative details on data retention and logging practices.

How do I get enterprise pricing?

Koi does not publish enterprise pricing publicly. You can book a demo directly at koi.security to discuss your organization's needs and get a custom quote. The platform is also available through AWS Marketplace as a SaaS offering for teams that prefer cloud marketplace procurement.


Koidex fills a critical gap in the modern AI code generator and developer tooling ecosystem: as software supply chain attacks grow more sophisticated, teams using tools like Claude Code or building with AI agents now have a free way to verify that the extensions and packages they depend on haven't been silently compromised. For teams that need fleet-wide governance, policy enforcement, and automated remediation, the full Koi enterprise platform extends what Koidex provides into a complete supply chain security layer.

Is this your tool?

Upgrade this free listing to Verified to unlock all four below. One-time fee of $99.

Claim & upgrade

Verified badge

A blue Verified pill appears next to your tool name across ToolWorthy. Embeddable on your own site too.

Featured alternatives slot

Appear in the sidebar of similar tools' detail pages — intent-matched traffic from competitors.

Dofollow backlink

Your Visit Site button sends direct SEO value to your domain instead of nofollow.

Editor-curated review

We expand your listing with original pros/cons, use cases, and screenshots — on-brand and on-message.

From the blog

View all →

Track Koidex in ToolWorthy Weekly

Important tool updates, better alternatives, and selected AI signals in one weekly brief.

Weekly only. Unsubscribe anytime.