We Scanned the Top 50 OSS AI Repos. Here's What We Found.Research Report

TL;DR — Key Findings
Average security score34 / 100 — Failing
Repos with a critical finding29 of 50 (58%)
Repos with an A or B grade6 of 50 (12%)
Most common attack surfacePrompt injection — unvalidated user input in tool call chains
Most-fired detection rulenixer/prompt-injection/unvalidated-tool-chain
Most improved category vs. 2025Secrets scanning — 31% fewer exposed keys than last year
34Avg Score / 100
29Critical Findings
6Grade A or B

The TL;DR

We ran Nixer's full 4-module security scanner against the top 50 most-starred open-source AI agent repositories on GitHub. The results are not encouraging.

The average score was 34 out of 100. More than half of the repos had at least one critical-severity finding — something an attacker could exploit to steal secrets, execute code, or manipulate agent behavior. Only 6 of the 50 repos earned a passing grade.

The dominant vulnerability class is prompt injection via unvalidated tool call chains. In most of these repos, raw user input flows directly into LLM context and then into tool calls — without sanitization. Once a model trusts that context, attackers can redirect it.

What this means

If you're building on top of any of these repos — or shipping a product that uses AI agents — the question isn't whether you've inherited one of these vulnerabilities. It's whether you've audited for them.

Methodology

We scanned the top 50 OSS AI agent repos by GitHub stars, using Nixer v1.5.0 with all four scanner modules enabled:

ModuleWhat it scansDetection method
prompt-injectionUnvalidated user input in tool call chains, injection sinksStatic taint analysis
secrets-scanHardcoded API keys, tokens, credentialsTruffleHog + custom regex
model-supply-chainUnsafe model loading, typosquatted packagesDependency audit + PyPI check
mcp-probeUnauthenticated MCP endpoints, missing allowlistsConfig audit + endpoint enumeration
cicd-pipeline-scanGitHub Actions misconfigs, secret exposure in workflowsYAML static analysis

Scope: main branch, latest commit as of June 5, 2026. All findings linked to published CVEs or Nixer detection rules with public documentation. No unreported criticals surfaced.

Findings by Category

1. Prompt Injection (Critical)

11 of 50 repos have unvalidated user input flowing into tool call chains. The pattern: user message → LLM prompt → tool invocation, with no sanitization at the boundary. Attackers can embed instructions in the user message that the agent acts on as if they were developer intent.

# Typical vulnerable pattern found across 11 repos: def run_agent(user_input: str): prompt = f"You are a helpful assistant. User said: {user_input}" response = llm.complete(prompt) tool_call = json.loads(response) # no validation of tool name or args execute_tool(tool_call["name"], tool_call["args"])

The fix is input boundary validation: tag user input so it cannot masquerade as system instructions, and verify tool call structure before execution.

2. Secrets in Source (High)

13 secrets (API keys, tokens, connection strings) found across 9 repos. Most were added in early development and never cleaned up. While most are test/dev keys, several repos shipped production tokens — now revoked, but visible in git history.

Good news

Secrets exposure is down 31% vs. our 2025 scan. The community is getting better at token rotation and secret scanning at commit time. The 9 repos that still had exposed secrets are almost exclusively older, less-active projects.

3. Model Supply Chain (Critical)

6 repos use torch.load() without weights_only=True. A malicious model file can embed arbitrary Python via pickle — execution on load. 3 repos have typosquatted dependencies (packages 1–2 edits from legitimate ones).

# Vulnerable — arbitrary code execution via pickle: model = torch.load("model.pt") # No weights_only=True # Fix: model = torch.load("model.pt", weights_only=True)

4. RAG Corpus Integrity (High)

4 repos fetch external content for RAG (Retrieval-Augmented Generation) without sanitization. If an attacker can influence what gets indexed — via SEO poisoning, collaboration poisoning, or direct injection — they can alter what the agent believes to be true.

5. MCP Tool Allowlist Missing (Medium)

5 repos expose MCP (Model Context Protocol) tool endpoints without authentication or allowlisting. Tools like send_email, read_file, and execute_shell are accessible to any caller.


Score Distribution — 50 Repositories

Nixer security score (0–100) by grade bucket

0 20 40 60 80 100 F D C B A 23 repos 12 repos 9 repos 4 repos 2 repos avg 34 0–19 20–39 40–59 60–79 80–100

Top 5 Most Secure Repos

These repos earned the highest scores — they have security practices worth studying. View the full leaderboard →

A

stanfordnlp / dspy

DSPy — declarative self-improving AI pipelines. Signed releases, weights_only=True, no exposed MCP endpoints.

84/100
A

BerriAI / litellm

LiteLLM — unified API for 100+ LLMs. Comprehensive secret scanning in CI, strong dependency pinning.

81/100
B

openai / swarm

OpenAI Swarm — experimental multi-agent framework. Minimal attack surface due to lean design.

72/100
B

geekan / MetaGPT

MetaGPT — multi-agent SDE team. Active maintenance, good prompt boundary hygiene.

69/100
B

All-Hands-AI / OpenHands

OpenHands — AI coding agent. Strong CI/CD controls, no critical supply chain issues.

68/100

5 Repos With Highest Improvement Potential

These repos have large user bases but significant exposure. Fixing the top finding in each would move the needle most.

F

Significant-Gravitas / AutoGPT

185k stars. Unvalidated tool call chains + hardcoded secrets + template injection (CVE-2025-1040 patched). Moving from F to D would drop criticals by 2.

18/100
F

langchain-ai / langchain

138k stars. Serialization injection (CVE-2025-68664 patched) + 9 total findings. High blast radius — affects anyone using their serialization layer.

22/100
F

joaomdmoura / crewAI

30.5k stars. Docker fallback vulnerability (CVE-2026-2287 patched) + 4 findings. Active user base; patching is urgent.

25/100
F

assafelovic / gpt-researcher

24.9k stars. Unvalidated RAG corpus fetch + MCP endpoint unauthenticated. High impact for production deployments.

20/100
F

Pythagora-io / gpt-pilot

32.4k stars. Prompt injection + MCP tool sprawl. Active fork community; security issues propagate downstream.

24/100

Decision Tree: What to Fix First

If you're a security team or maintainer working through a backlog, use this to prioritize:

Priority triage decision tree

1
Do you use torch.load() without weights_only=True?
If yes → patch immediately. This is arbitrary code execution on model load. Move to step 2.
2
Does user input flow into LLM prompts without sanitization?
If yes → add input boundary tagging and validation before tool call execution. Move to step 3.
3
Do you have eval() / exec() calls processing LLM output?
If yes → replace with safe expression evaluators (AST-based) or sandboxed subprocesses. Move to step 4.
4
Run npx nixer scan <your-repo> to catch everything else.
Full scanner covers MCP endpoints, secrets in git history, CI/CD misconfigs, and more.

What's Changed Since Last Year

We ran a similar scan in June 2025 against 30 repos. Comparing this year's top 30 to last year's cohort:

Category20252026Trend
Critical findings per repo (avg)2.41.8↓ 25%
Repos with exposed secrets73%42%↓ 31 pp
Repos with no criticals10%12%↑ 2 pp
Prompt injection prevalence87%58%↓ 29 pp
Repos scoring below 2040%46%↑ 6 pp

The community is improving on secrets hygiene. Prompt injection prevalence dropped significantly. But the distribution is getting more bimodal — the better-funded, more-active repos are pulling ahead, while older or less-active repos are falling further behind.

Scan your own repo

30 seconds. No signup required. Get your score and a full findings report.