How We Score Risk
SamuAI's scoring methodology is built by security practitioners who work in third-party risk, supply chain security, and AI governance — people who evaluate tooling risk for a living and understand what it takes to meet the highest functional bars for securing AI-adjacent software.
Our Approach
Every SamuAI score is derived from observable, verifiable signals — not self-reported claims from developers. When you scan a tool, we pull its publicly available metadata: manifest files, permission declarations, dependency trees, store listings, and developer provenance. We never execute extension code or access your personal data.
That metadata is analyzed through a proprietary model that evaluates risk across multiple dimensions — informed by the same frameworks that enterprise security teams use to assess vendor and supply chain risk. The result is a single 0–10 score that tells you how much exposure a tool introduces, and why.
What We Evaluate
Permission Analysis
We classify every permission a tool requests by risk tier, then evaluate whether each permission is justified for what the tool actually does. An ad blocker intercepting web requests is expected. A calculator doing the same is a red flag. Our model understands the difference.
Developer Provenance
We assess how identifiable and established the publisher is — platform verification, organizational accountability, ecosystem track record, community adoption, and web presence. A tool backed by a verified organization with years of history carries different risk than one published yesterday by an anonymous account.
Data Flow Mapping
We trace where data goes — external APIs, third-party services, analytics endpoints — and evaluate encryption status, data sensitivity, and whether the tool's network behavior aligns with its stated purpose. This includes inferring capabilities from dependency trees, not just declared permissions.
Policy & Transparency
We check whether the tool has a privacy policy and whether its claims match observed behavior. A policy that says 'we collect no data' while the tool requests cookies and browsing history is a material inconsistency — and our model flags it.
What We Scan
Built on Industry Standards
Our scoring model doesn't exist in a vacuum. It's grounded in the frameworks that define how enterprise security teams assess risk — adapted and extended for the specific threat landscape of browser extensions, IDE plugins, open-source packages, and AI tool integrations.
| Standard | Publisher |
|---|---|
| OWASP Top 10 | OWASP Foundation |
| MITRE ATT&CK | MITRE Corporation |
| NIST SP 800-53 | NIST |
| NIST Privacy Framework | NIST |
| SLSA v1.0 | OpenSSF / Google |
| CWE | MITRE Corporation |
| CISA SSDF | CISA / NIST |
| GDPR | European Union |
| CCPA | State of California |
| FTC Act Section 5 | FTC |
Built by Practitioners
SamuAI isn't built by people who read about security — it's built by people who do it. Our methodology comes from hands-on experience in third-party risk management, supply chain security assessments, and AI governance at organizations where the stakes are real.
We've taken the same rigor that goes into evaluating enterprise vendors and SaaS platforms and applied it to the tools that developers and everyday users install without a second thought — the browser extensions, IDE plugins, npm packages, and MCP servers that have direct access to your code, your data, and your credentials.
The result is a scoring system that doesn't just count permissions — it understands context, evaluates provenance, traces data flows, and surfaces the specific risks that matter. No hand-waving. No vague "trust scores." Just observable signals, analyzed against the highest bar we know how to set.
What We Don't Do
Transparency means being honest about boundaries. SamuAI is an automated risk assessment tool, not a replacement for a full security audit.
See the methodology in action.