Nixer ran its full 4-module security scanner against 12 of the most-starred open-source AI agent repos on GitHub. Here's what we found.
Scanner: Nixer v1.4.2 · Scan date: June 2, 2026 · All scans run against latest main branch
Ranked by GitHub stars. Click a repo name to view its security findings history.
| Repository | Stars | Status | Critical | High | Medium | Low | Total |
|---|---|---|---|---|---|---|---|
| 185k | Active | 2 | 2 | 2 | 1 | 7 | |
| 138k | Active | 2 | 3 | 2 | 2 | 9 | |
| 70k | Active | 0 | 1 | 3 | 2 | 6 | |
| 57.7k | Maintenance | 1 | 1 | 2 | 1 | 5 | |
| 49.7k | Active | 1 | 1 | 2 | 1 | 5 | |
| 44.6k | Active | 0 | 1 | 1 | 1 | 3 | |
| 30.5k | Active | 1 | 2 | 1 | 0 | 4 | |
| 32.4k | Active | 1 | 1 | 1 | 1 | 4 | |
| 28k | Active | 0 | 0 | 1 | 1 | 2 | |
| 24.9k | Active | 1 | 1 | 0 | 1 | 3 | |
| 21.3k | Active | 0 | 0 | 1 | 1 | 2 | |
| 19.2k | Active | 0 | 0 | 0 | 2 | 2 |
AutoGen: in maintenance mode — Microsoft merged it into Semantic Kernel. OpenHands: renamed from OpenDevin (late 2024).
Which Nixer detection rules triggered most frequently — ranked by total occurrences.
Raw user input passed to LLM context without sanitization, then acted on via tool calls. Agent can be redirected via prompt injection.
API keys, tokens, or credentials committed to repository source. Visible to all contributors and trivially extractable from git history.
torch.load() called without weights_only=True. Malicious model files can embed arbitrary Python via pickle GLOBAL opcode.
MCP server responds to unauthenticated requests with full tool manifest. Tools like send_email, read_file, execute_shell accessible to any caller.
No rate limiting on auth or agent endpoints. Single IP can issue hundreds of requests without lockout, enabling credential stuffing and quota drain.
requirements.txt contains a package 1–2 edits away from a legitimate popular package. Typosquatted packages run exfil code on pip install.
Representative examples — all linked to public advisories where a CVE exists. No unpatched criticals are surfaced here.
langchain-ai/langchain's dumps()/dumpd() functions fail to escape dictionaries with user-controlled 'lc' keys. When LLM outputs influence metadata fields parsed through these serializers, attackers can instantiate arbitrary LangChain objects and exfiltrate environment variables (previously defaulted to secrets_from_env=True). Affects 847M+ downloads.
Affected: langchain-ai/langchain · Patch: langchain-core ≥0.3.81 or ≥1.2.5
GitHub Advisory → · Read the full technical analysis →
CrewAI doesn't continuously verify Docker availability during execution. If Docker becomes unavailable, the system silently falls back to an insecure sandbox mode where prompt injection can trigger arbitrary code execution. Chaining with the SSRF vulnerability (CVE-2026-2286) in RAG search tools amplifies blast radius.
Affected: joaomdmoura/crewAI (all versions with Code Interpreter) · CERT/CC VU#221883 → · Read the full technical analysis →
AgentOutputBlock implementation passes user-supplied format strings to Jinja2 without sanitization. Attackers with low-privilege access can inject template payloads that execute arbitrary shell commands on the host. Affects AutoGPT ≤0.3.4.
Affected: Significant-Gravitas/AutoGPT ≤0.3.4 · Fixed: ≥0.4.0 · NVD →
The PandasQueryEngine in llama-index-core uses eval() to execute LLM-generated pandas expressions. The original CVE-2023-39662 was patched to safe_eval(), but the safe_eval implementation was subsequently bypassed, re-opening RCE. Requires only a crafted data prompt.
Affected: run-llama/llama_index
AutoGPT's request wrapper uses urllib.parse for validation but requests for execution — causing hostname confusion on crafted URLs like http://localhost\\@google.com/../. Attackers can bypass SSRF protections to access internal services and cloud metadata endpoints.
Affected: Significant-Gravitas/AutoGPT <0.4.0 · Fixed: ≥0.4.0 · Red Hat Advisory →
How we scanned — for reproducibility and maintainer accountability.
npx nixer scan <url>Find the vulnerabilities in your codebase before someone else does. 30 seconds. No signup required.