We Scanned the Top 50 OSS AI Repos. Here's What We Found.Research Report
The TL;DR
We ran Nixer's full 4-module security scanner against the top 50 most-starred open-source AI agent repositories on GitHub. The results are not encouraging.
The average score was 34 out of 100. More than half of the repos had at least one critical-severity finding — something an attacker could exploit to steal secrets, execute code, or manipulate agent behavior. Only 6 of the 50 repos earned a passing grade.
The dominant vulnerability class is prompt injection via unvalidated tool call chains. In most of these repos, raw user input flows directly into LLM context and then into tool calls — without sanitization. Once a model trusts that context, attackers can redirect it.
If you're building on top of any of these repos — or shipping a product that uses AI agents — the question isn't whether you've inherited one of these vulnerabilities. It's whether you've audited for them.
Methodology
We scanned the top 50 OSS AI agent repos by GitHub stars, using Nixer v1.5.0 with all four scanner modules enabled:
| Module | What it scans | Detection method |
|---|---|---|
prompt-injection | Unvalidated user input in tool call chains, injection sinks | Static taint analysis |
secrets-scan | Hardcoded API keys, tokens, credentials | TruffleHog + custom regex |
model-supply-chain | Unsafe model loading, typosquatted packages | Dependency audit + PyPI check |
mcp-probe | Unauthenticated MCP endpoints, missing allowlists | Config audit + endpoint enumeration |
cicd-pipeline-scan | GitHub Actions misconfigs, secret exposure in workflows | YAML static analysis |
Scope: main branch, latest commit as of June 5, 2026. All findings linked to published CVEs or Nixer detection rules with public documentation. No unreported criticals surfaced.
Findings by Category
1. Prompt Injection (Critical)
11 of 50 repos have unvalidated user input flowing into tool call chains. The pattern: user message → LLM prompt → tool invocation, with no sanitization at the boundary. Attackers can embed instructions in the user message that the agent acts on as if they were developer intent.
The fix is input boundary validation: tag user input so it cannot masquerade as system instructions, and verify tool call structure before execution.
2. Secrets in Source (High)
13 secrets (API keys, tokens, connection strings) found across 9 repos. Most were added in early development and never cleaned up. While most are test/dev keys, several repos shipped production tokens — now revoked, but visible in git history.
Secrets exposure is down 31% vs. our 2025 scan. The community is getting better at token rotation and secret scanning at commit time. The 9 repos that still had exposed secrets are almost exclusively older, less-active projects.
3. Model Supply Chain (Critical)
6 repos use torch.load() without weights_only=True. A malicious model file can embed arbitrary Python via pickle — execution on load. 3 repos have typosquatted dependencies (packages 1–2 edits from legitimate ones).
4. RAG Corpus Integrity (High)
4 repos fetch external content for RAG (Retrieval-Augmented Generation) without sanitization. If an attacker can influence what gets indexed — via SEO poisoning, collaboration poisoning, or direct injection — they can alter what the agent believes to be true.
5. MCP Tool Allowlist Missing (Medium)
5 repos expose MCP (Model Context Protocol) tool endpoints without authentication or allowlisting. Tools like send_email, read_file, and execute_shell are accessible to any caller.
Score Distribution — 50 Repositories
Nixer security score (0–100) by grade bucket
Top 5 Most Secure Repos
These repos earned the highest scores — they have security practices worth studying. View the full leaderboard →
stanfordnlp / dspy
DSPy — declarative self-improving AI pipelines. Signed releases, weights_only=True, no exposed MCP endpoints.
BerriAI / litellm
LiteLLM — unified API for 100+ LLMs. Comprehensive secret scanning in CI, strong dependency pinning.
openai / swarm
OpenAI Swarm — experimental multi-agent framework. Minimal attack surface due to lean design.
geekan / MetaGPT
MetaGPT — multi-agent SDE team. Active maintenance, good prompt boundary hygiene.
All-Hands-AI / OpenHands
OpenHands — AI coding agent. Strong CI/CD controls, no critical supply chain issues.
5 Repos With Highest Improvement Potential
These repos have large user bases but significant exposure. Fixing the top finding in each would move the needle most.
Significant-Gravitas / AutoGPT
185k stars. Unvalidated tool call chains + hardcoded secrets + template injection (CVE-2025-1040 patched). Moving from F to D would drop criticals by 2.
langchain-ai / langchain
138k stars. Serialization injection (CVE-2025-68664 patched) + 9 total findings. High blast radius — affects anyone using their serialization layer.
joaomdmoura / crewAI
30.5k stars. Docker fallback vulnerability (CVE-2026-2287 patched) + 4 findings. Active user base; patching is urgent.
assafelovic / gpt-researcher
24.9k stars. Unvalidated RAG corpus fetch + MCP endpoint unauthenticated. High impact for production deployments.
Pythagora-io / gpt-pilot
32.4k stars. Prompt injection + MCP tool sprawl. Active fork community; security issues propagate downstream.
Decision Tree: What to Fix First
If you're a security team or maintainer working through a backlog, use this to prioritize:
Priority triage decision tree
torch.load() without weights_only=True?If yes → patch immediately. This is arbitrary code execution on model load. Move to step 2.
If yes → add input boundary tagging and validation before tool call execution. Move to step 3.
eval() / exec() calls processing LLM output?If yes → replace with safe expression evaluators (AST-based) or sandboxed subprocesses. Move to step 4.
npx nixer scan <your-repo> to catch everything else.Full scanner covers MCP endpoints, secrets in git history, CI/CD misconfigs, and more.
What's Changed Since Last Year
We ran a similar scan in June 2025 against 30 repos. Comparing this year's top 30 to last year's cohort:
| Category | 2025 | 2026 | Trend |
|---|---|---|---|
| Critical findings per repo (avg) | 2.4 | 1.8 | ↓ 25% |
| Repos with exposed secrets | 73% | 42% | ↓ 31 pp |
| Repos with no criticals | 10% | 12% | ↑ 2 pp |
| Prompt injection prevalence | 87% | 58% | ↓ 29 pp |
| Repos scoring below 20 | 40% | 46% | ↑ 6 pp |
The community is improving on secrets hygiene. Prompt injection prevalence dropped significantly. But the distribution is getting more bimodal — the better-funded, more-active repos are pulling ahead, while older or less-active repos are falling further behind.
Scan your own repo
30 seconds. No signup required. Get your score and a full findings report.