LIVE · PUBLIC SCANS

What you inherit when you install an AI agent.

We scan popular open-source agent frameworks and map the dangerous capabilities you inherit on install — the sinks that go live the moment your agent reads untrusted content. Read-only static analysis. We under-report rather than over-claim, and we only headline what we can prove. Every new scan is added here.

12
frameworks audited
520
inherited attack surfaces
474
reachable-in-repo
361k+
combined GitHub stars
520M
projected @ 1M installs
Sort: · · ·
High

cua

Computer-use agent infrastructure — sandboxes and SDKs for AI agents that control full desktops (macOS/Linux/Windows) and browsers.

19,465
GitHub stars
127,445/mo
Downloads
261
Inherited surfaces
21
Reachable-in-repo
261 inherited RCE-class surfaces — the largest here. Designed to control a whole desktop, so untrusted input reaching them could mean full machine control.
Blast radius @ 1M installs: 261,000,000 inherited surfaces (illustrative)
Med

Langflow

A low-code, drag-and-drop visual builder for LLM-powered agents and workflows.

151,377
GitHub stars
79,925/mo
Downloads
47
Inherited surfaces
15
Reachable-in-repo
47 inherited RCE-class surfaces (including code-execution flow nodes) could run attacker-supplied code if a flow is fed untrusted input.
Blast radius @ 1M installs: 47,000,000 inherited surfaces (illustrative)
Med

letta

A platform for stateful agents with long-term memory that learn and self-improve (formerly MemGPT).

23,709
GitHub stars
184,384/mo
Downloads
34
Inherited surfaces
141
Reachable-in-repo
34 inherited RCE-class surfaces could execute attacker-supplied code if untrusted content reaches its agent/tool paths.
Blast radius @ 1M installs: 34,000,000 inherited surfaces (illustrative)
Med

potpie

A platform that builds a knowledge graph over a codebase and exposes AI agents for software-engineering tasks.

5,489
GitHub stars
614/mo
Downloads
34
Inherited surfaces
15
Reachable-in-repo
34 inherited RCE-class surfaces could run attacker code if its codebase agents are pointed at untrusted repositories or prompts.
Blast radius @ 1M installs: 34,000,000 inherited surfaces (illustrative)
Med

llama_index

A data framework connecting LLMs to external data for indexing, retrieval (RAG) and document agents.

50,735
GitHub stars
7,333,900/mo
Downloads
26
Inherited surfaces
116
Reachable-in-repo
26 inherited RCE-class surfaces (code-exec / deserialisation) could run attacker code if untrusted documents or query-tools reach them.
Blast radius @ 1M installs: 26,000,000 inherited surfaces (illustrative)
Med

SuperAGI

A dev-first framework for building, running and managing autonomous AI agents with a tool/plugin ecosystem.

17,610
GitHub stars
106/mo*
Downloads
22
Inherited surfaces
20
Reachable-in-repo
22 inherited RCE-class surfaces could execute attacker code once an agent tool is fed untrusted content.
Blast radius @ 1M installs: 22,000,000 inherited surfaces (illustrative)
Med

julep

A backend for durable, resumable, composable AI-agent workflows (long-running stateful flows).

6,599
GitHub stars
1,622/mo*
Downloads
21
Inherited surfaces
3
Reachable-in-repo
21 inherited RCE-class surfaces could run attacker code if a workflow step is wired to untrusted input.
Blast radius @ 1M installs: 21,000,000 inherited surfaces (illustrative)
Med

agno

A full-stack framework for building, running and managing multi-agent systems and agent platforms.

41,056
GitHub stars
2,369,929/mo
Downloads
20
Inherited surfaces
131
Reachable-in-repo
20 inherited RCE-class surfaces; also the largest reachable-in-repo count here (131). Untrusted agent input could run attacker code.
Blast radius @ 1M installs: 20,000,000 inherited surfaces (illustrative)
Low

RA.Aid

An autonomous software-development agent that plans and executes coding tasks, running shell commands and editing files.

2,224
GitHub stars
3,326/mo
Downloads
16
Inherited surfaces
1
Reachable-in-repo
16 inherited RCE-class surfaces — consistent with a tool that runs shell by design; untrusted task input could execute attacker code.
Blast radius @ 1M installs: 16,000,000 inherited surfaces (illustrative)
Low

semantic-kernel

An SDK for integrating LLMs into apps via plugins, planners and agent orchestration across .NET, Python and Java.

28,284
GitHub stars
2,545,181/mo
Downloads
15
Inherited surfaces
9
Reachable-in-repo
15 inherited RCE-class surfaces could run attacker code if a plugin/planner is fed untrusted input. Guard model is Python-only — weaker confidence on its .NET/C# code.
Blast radius @ 1M installs: 15,000,000 inherited surfaces (illustrative)
Low

notte

A framework for building web-browsing agents and deploying serverless browser-automation functions.

1,978
GitHub stars
9,341/mo
Downloads
13
Inherited surfaces
0
Reachable-in-repo
13 inherited RCE-class surfaces; 0 reachable-in-repo (all liability is inherited-on-install). Untrusted pages could drive code execution.
Blast radius @ 1M installs: 13,000,000 inherited surfaces (illustrative)
Low

babyagi

An experimental autonomous task-management agent that generates, prioritises and executes a self-extending task list.

22,324
GitHub stars
224/mo*
Downloads
11
Inherited surfaces
2
Reachable-in-repo
11 inherited RCE-class surfaces could run attacker code if the task-execution loop is wired to untrusted input.
Blast radius @ 1M installs: 11,000,000 inherited surfaces (illustrative)

Methodology & honesty

Scan numbers — Hermes Shield static analysis (entrypoint-grounded taint + guard attribution), each repo pinned to an exact commit. Install-liability = RCE-class sinks (code-exec / deserialize / subprocess) that are inert in the repo but go live once a downloader wires untrusted input to them. None are proven-live — no finding is PoC-confirmed; this maps surface, not demonstrated exploits.

Stars via the GitHub API and downloads via pypistats, fetched 8 Jul 2026. Several frameworks install mainly via source/Docker, so PyPI undercounts real usage. OWASP rating on the inherited follows severity×likelihood: RCE-class surfaces are capped at Med per-surface (not reachable-here) and banded to Low/Med/High by count. semantic-kernel is flagged — our guard model is Python-only, so confidence is lower on its .NET/C# code.

Blast radius @ 1M installs is a deliberately-labelled scale illustration, not a breach prediction — it conveys aggregate inherited exposure, and says nothing about exploitability or the probability of any given install being compromised.

Get your repo scanned