We built an automated vulnerability scanner that evaluates AI agent repositories against multiple security dimensions. Here are the results from scanning the top 100.
Key Findings
| Metric | Value |
|---|---|
| Repos scanned | 100 |
| High risk (score >= 50) | 9 |
| Medium risk (25-49) | 66 |
| Low risk (<25) | 25 |
| No security signals | ~75% |
| Average trust score | 75.4/100 |
Most Exposed Projects
- AUTOMATIC1111/stable-diffusion-webui — 160K stars, trust C, vulnerability score 55
- f/prompts.chat — 145K stars, trust C, vulnerability score 55
- rasbt/LLMs-from-scratch — 85K stars, trust C, vulnerability score 55
- hacksider/Deep-Live-Cam — 79K stars, trust C, vulnerability score 55
- n8n-io/n8n — 177K stars, trust C-, vulnerability score 45
These are public repositories with massive adoption and minimal security infrastructure.
What Makes a Project "High Risk"?
Our vulnerability score (0-100) combines:
- Security signals (30 points) — SECURITY.md, dependency scanning, known advisories
- Trust-popularity gap (25 points) — high stars but low trust rating
- Trust grade (20 points) — overall quality and maintenance rating
- Known advisories (20 points) — CVEs in GitHub Advisory Database
How to Check Your Dependencies
pip install agent-security
agent-security scan requirements.txt
This checks each dependency against a trust database of 204K+ AI agents and tools, flagging CVEs, license issues, and maintenance problems.
Full Report
See the complete data at nerq.ai/vulnerable.
Powered by Nerq — the AI asset search engine with trust scores for 5M+ AI assets.
Top comments (0)