🚀 250 Clones in 4 Days: A Student's Journey Building an AI Security Tool
By Nasarah Peter Dashe
Cybersecurity Student @ UNIJOS | Founder of Permi
The Numbers That Surprised Me
On April 2nd, 2026, I did something terrifying.
I typed pip install permi into my terminal, ran a few final tests, and hit publish on PyPI. A vulnerability scanner built by a student with no funding, no team, and no prior accomplishments was now available for anyone in the world to download.
Four days later, GitHub told me something I didn't expect:
250 clones.
62 developers per day, on average, downloading Permi. Testing it. Breaking it. Some even giving feedback.
This isn't a Silicon Valley startup with millions in backing. This is a cybersecurity student at the University of Jos, building in public, one commit at a time.
The Problem That Wouldn't Leave Me Alone
I've spent hours staring at security scan reports. You know the kind: 47 "critical" vulnerabilities flagged, only 4 of them real. The rest? False positives. Misconfigurations that don't apply. Warnings about libraries I wasn't even using.
That's not security. That's noise.
And noise has a cost:
- Developers learn to ignore alerts
- Real vulnerabilities slip through
- Breaches happen
The recent LiteLLM supply chain attack proved that even the tools we trust to secure us can become the vulnerability. Three security tools compromised in five days using the same stolen credentials. The attacker didn't exploit the tools – they exploited the CI/CD access those tools had.
I saw this gap and couldn't unsee it.
Nigerian developers and SMBs are stuck with expensive, complex tools built for Western enterprises. Tools that don't understand our local fintech APIs, our hosting constraints, or the unique threats we face. Tools that interrupt our flow instead of supporting it.
So I decided to build something different.
What Permi Is (And Isn't)
Permi is an AI-powered vulnerability scanner designed for one job: meet developers where they already work.
| Feature | Status |
|---|---|
pip install permi |
✅ Live |
| CLI scan command | ✅ Live |
| Web vulnerability detection (SQLi, XSS, etc.) | ✅ Live |
| AI false-positive classifier | 🚧 In progress |
| VS Code extension | 🔜 Planned |
| GitHub Action | 🔜 Planned |
One command to scan a website:
pip install permi
permi scan --url https://example.com
No context switching. CLI first, with IDE integrations coming soon.
AI that actually helps. False-positive filtering, remediation suggestions, risk prioritization.
Built for Nigeria first. Affordable pricing, local vulnerability checks, NDPR compliance mapping.
Permi isn't trying to replace every security tool. It's trying to fix the parts that frustrate developers most.
What 250 Clones Tell Me
Numbers without context are just numbers. Here's what these 250 clones mean to me:
1. The problem is real
Developers don't clone random repos. They clone tools they intend to use or learn from.
2. My announcement worked
The spike of 70 clones in a single day came right after I shared Permi on social media. Community matters.
3. Word of mouth is happening
250 clones in 4 days means people are sharing my link. I don't have a marketing budget. I have developers who see value.
4. I'm no longer "pre-product"
An investor recently told me Permi had "no traction." Now I have evidence that the market disagrees.
What I've Learned (In Just 4 Days)
Shipping is everything.
An imperfect product in the wild is infinitely more valuable than a perfect product in your head.
Traction talks.
No amount of pitch deck polish replaces a developer typing pip install permi and running your code.
Community is my unfair advantage.
Senior security leaders accepted my connection requests. Practicing security analysts took time to explain real-world misconfigurations like .env leaks and dependency confusion. Security companies engaged with my posts.
These aren't just names. They're people who saw a student trying to build something real and decided to help.
What's Next for Permi
The MVP is live. Now I'm building:
- AI false-positive classifier – cut the noise by 80%
- VS Code extension – real-time scanning as you code
- GitHub Action – automatic PR comments and blocking
- API scanner – for fintechs and backend teams
I've also applied to the iDICE Founders Lab – a ₦10 million grant program for early-stage Nigerian founders. If selected, I'll use the funding to focus on Permi full-time, hire a part-time developer, and reach our first 500 paying users.
I Need Your Help
I'm not writing this to brag about 250 clones. I'm writing this because I genuinely believe the best products are built with the community, not in isolation.
So here's my ask:
If you're a developer, founder, or security professional:
- Try Permi:
pip install permi
permi scan --url https://your-site.com
Break it. Tell me what's missing, what's confusing, what's broken.
Share this post with one person who struggles with security noise.
And if you've ever ignored a security alert because you've been burned by false positives before – drop a comment. I want to hear your story.
One Last Thing
Four days ago, Permi was just a PyPI package.
Today, it's been cloned 250 times.
Tomorrow, I'm back to building.
Because that's what founders do. We ship, we learn, we iterate. And we do it in public, so everyone can see that a student at UNIJOS with no funding can still build tools that matter.
pip install permi and let's secure Nigeria's developers, one scan at a time.
🔗 Links
- GitHub: github.com/peternasarah/permi
- PyPI: pypi.org/project/permi
- Twitter/X: @peternasarah
- Permi: https://peternasarah.github.io/permi
🏷️ Tags
cybersecurity devsecops opensource python buildinpublic supplychainsecurity
Top comments (0)