avai is a tiny security guard for your computer. It quietly checks the places malware likes to hide, then has an AI security expert look at what it found and tell you — in plain English — whether anything is dangerous.
Think of it as a health check‑up for your laptop or server. Nothing leaves your machine.
$ docker run -p 8765:8765 -v "$PWD":/data iklob1/avai
Every app you install, every browser extension, every "free" download can leave something behind — a program that starts up secretly, an add‑on that reads your passwords, a connection to a stranger's server. Your computer doesn't warn you, and there's no simple way to ask "hey, is this normal?"
Big‑company security software is expensive, complicated, and sends your private data off to someone else's cloud. Most people just hope nothing's wrong.
avai looks around your computer every few minutes, cross‑checks anything new against well‑known security databases, and asks an AI security expert to weigh in. You get a simple, colour‑coded list:
🔴 dangerous 🟡 worth a look ⚪ not sure 🟢 all good
Each warning comes with one clear sentence on why it's flagged and exactly what to do about it. And it all happens on your own machine — your files never get uploaded anywhere.
avai checks the spots malware likes to hide — programs that auto‑start, browser add‑ons, network connections, plugged‑in USB devices, important system files, app privacy permissions, and live authentication events. It only reads; it never changes anything.
Anything new gets cross‑checked against trusted security databases (the same ones professionals use), then handed to an AI security analyst that decides how worried you should be — and explains why, in one sentence. The same artifact is never analysed twice.
Open one web page and see everything colour‑coded red / yellow / green. Filter, sort, and search every table. It re‑checks every few minutes and chimes if something dangerous shows up.
You run it once with a single command (below). After that it works on its own in the background — no accounts to create, no monthly fee, and your data stays on your computer.
You don't need to know what any of these mean — avai watches them so you don't have to.
Malware loves to set itself to launch every time you turn the computer on. avai lists everything configured to auto‑start and flags the ones that don't belong.
Every app that's connected to the internet, and where. If something is quietly phoning home to a known‑bad server, you'll see it — with traffic volume and geo‑location of the remote address.
That "free downloader" add‑on that can read every page and your saved passwords? One of the most common ways people get hacked. avai checks what each one can do.
Which apps have access to your camera, microphone, location, screen recording, or full disk? avai reads the macOS privacy database (TCC) and flags unexpected grants — the kind a spy tool quietly requests.
Plugged‑in drives, keyboards, and paired Bluetooth gadgets — including the kind of fake "keyboard" attackers use to sneak in commands.
The sensitive files that control logins and permissions — SSH keys, sudoers rules,
/etc/hosts redirects. avai notices the instant one of them is quietly changed.
Disk encryption, the firewall, Gatekeeper, SSH remote login, Screen Sharing, and Remote Desktop — with correct live detection on macOS. If something switched one off, that's the first thing you'll see.
Logins, sudo usage, Gatekeeper checks, TCC access grants — aggregated by pattern so thousands of repetitive log lines collapse into a handful of meaningful rows, each AI-classified for severity.
Running processes, open ports, DNS lookups, installed apps, scheduled tasks, kernel extensions, quarantined downloads, MDM profiles, Wi‑Fi security, drive mounts, setuid files — 26 checks in all. If it's a place attackers hide, avai is already looking there.
26 collectors on macOS (21 on Linux), 17 threat‑intel sources, and a Claude‑class model that turns it all into plain‑English verdicts.
Hashes, IPs, domains, URLs, CVEs, packages and OS versions are enriched before the model ever sees them.
Every new finding is labelled malicious / suspicious / unknown / benign — with a MITRE category, a confidence, and a one‑line fix. Bring your own key (Anthropic or any litellm provider).
Same image is both dashboard and monitor.
Runs entirely on your host.
The same artifact is never judged twice.
Search, filter, sort, paginate, audio alerts.
Point the dashboard at any avai.db.
One tool, both platforms.
pip install avai-monitor.
Auditable, model‑agnostic.
What you get for one docker run.
Every finding comes back in plain English with a verdict, a confidence, a MITRE category, and a concrete fix — no query language, no triage spreadsheet.
One container. No SIEM, no agents to enroll, no control plane to run or pay for.
Everything runs on your machine; you bring your own model key, and only new findings ever leave — for a lookup or the LLM call you opted into.
Content‑hash dedup judges each artifact once — a busy host doesn't mean a big bill — and cached intel hits skip the network entirely.
26 host surfaces × 17 intel sources behind a single verdict — the coverage of an endpoint product without anything to install on every machine.
macOS and Linux from the same tool, with platform‑correct live detection.
MIT‑licensed, auditable, and model‑agnostic — swap to any litellm provider with one env var.
Collectors only read; the dashboard is read‑only. Point it at a server without touching it.
The whole state is a single SQLite file — scan on a server, view on your laptop, archive a snapshot, diff over time.
Finding things is easy; knowing which ones matter is the hard part. avai hands each new discovery to an AI security analyst (powered by Claude) that explains, in one plain sentence, why it's safe or risky — and tells you exactly what to do next.
Here's what real alerts look like — three findings from one check:
It launches a program from a temporary folder every time you sign in, and it isn't signed by a known software maker — a classic way malware stays on a machine.
→ Remove it, then check that temp folder for what it was running.
For a video downloader, it asks for a lot — it can read every website you visit and your login cookies. That mismatch is a common sign of a sketchy add‑on.
→ Turn it off and check when it was installed.
A trusted, signed app making a normal, encrypted connection to its own company. Nothing to worry about.
Open it in your browser and everything's right there — colour‑coded findings, live network flows, DNS queries, open ports, auth events, privacy permissions and more. Every table has search, filters, and pagination. It refreshes itself and chimes if something dangerous appears.
This part is for whoever sets up your computer or server — it's a single line they paste into a terminal. Not sure what that means? Send them this page; they'll know exactly what to do. Once it's running, you just open the web page.
Dashboard runs anywhere. Monitor needs a Linux host.
docker run -p 8765:8765 \ -v "$PWD":/data \ iklob1/avai
Monitor + dashboard, both auto-restart.
curl -O https://raw.githubusercontent.com/\ iklobato/avai/main/docker-compose.yml docker compose up -d
Full visibility — including TCC, Gatekeeper, auth events — with sudo on macOS or Linux.
pip install 'avai-monitor[judge]' sudo avai monitor & avai dashboard
Add an API key; everything else stays the same.
docker run -p 8765:8765 -v "$PWD":/data \ -e ANTHROPIC_API_KEY=sk-ant-... \ iklob1/avai avai monitor --db /data/avai.db
Install once; it re-checks every 5 minutes on its own.
pip install 'avai-monitor[judge]' sudo -E avai monitor --db /var/lib/avai/avai.db --interval 300 & avai dashboard --db /var/lib/avai/avai.db --host 0.0.0.0
Native install with sudo for complete visibility — including privacy permissions and system integrity.
pip install 'avai-monitor[judge]' export ANTHROPIC_API_KEY=sk-ant-... sudo -E avai monitor & avai dashboard
It's one file — ask it for the things worth worrying about.
sqlite3 -box avai.db "SELECT verdict, collector, reasoning
FROM judgements
WHERE verdict IN ('malicious','suspicious');"
Point the dashboard at any avai.db, on any computer.
docker run --rm -p 8765:8765 -v "$PWD":/data iklob1/avai
Full guide & more examples in the README.
Everything's MIT-licensed and lives at github.com/iklobato/avai.