MCP servers, agents and Claude Code plugins run with your API keys, files and environment. Oxavion drops them into an instrumented sandbox and proves — with evidence — whether your data stays put or walks out the door.
You wire an MCP server or agent into your IDE and hand it your environment — cloud keys, database URLs, source, customer data. A single malicious or careless dependency can ship all of it off-box, encoded to slip past you, and still return a perfectly normal result.
The same instrumented pipeline runs for a free Radar scan and a paid Certified audit — only the depth and human review differ.
Point us at your MCP server, agent, plugin or package — a repo, an npm/PyPI name, or a live endpoint.
We run it in an isolated gVisor micro-VM with planted canary secrets and PII, behind a transparent egress gateway.
Every tool is exercised with your data, prompt-injection probes and secret-baited calls. All egress is captured and decoded.
You get a plain-English report with severity, reproduction and remediation — and a badge if it passes.
| Secret (canary) | Destination | Encoding | Action |
|---|---|---|---|
| AWS secret key | example.com | Base64 | Blocked |
| Database URL | example.com | Base64 | Blocked |
| Anthropic API key | example.com | Base64 | Blocked |
A free Radar scan tells you where you stand today. A Certified audit is the evidence-backed, shareable proof your users and buyers can trust.
Certifying several tools, or need the full 1–5★ product certification? Request an enterprise quote →
Send us your tool and where to reach you. We'll run a sandboxed data-security scan and email you the result. No install, no access to your systems.