We read the source. We counted the blast radius.
An honest audit of how much action-surface the ten most popular open-source agent frameworks expose by default. Shell, code execution, file writes, a logged-in browser. We verified every finding at the source — and we share the file-level specifics privately with each team first. If we’ve mis-read your framework, tell us and we’ll fix it in the open.
Agents don’t just answer any more. They run shell commands, execute generated code, write files and drive authenticated browsers. That action layer is where untrusted input sits one hop from a real send, pay, write or exec. We wanted to know how big that surface actually is across the frameworks builders reach for, so we read the executor code of ten of them and counted only concrete affordances we verified at the source. This is that count. It exists because the risk in agents is not the model getting fooled. It is what the agent is allowed to do next.
Ranked by dangerous default surface
“Dangerous by default” means the shipped default path reaches the host or a live session unsandboxed, with no approval gate — not what is merely possible with configuration.
| # | Framework | Stars | Surfaces | Default posture | Default action pattern |
|---|---|---|---|---|---|
| 1 | gpt-engineer | 55.2k | 2 | Host, ungated | runs model-written code on the host by default, without a sandbox or approval gate. |
| 2 | MetaGPT | 69.2k | 4 | Host, ungated | in-process code execution plus a host shell command, on in the default path. |
| 3 | LangChain | 141k | shell + broad | Broad surface | a live shell tool and the broadest overall tool surface (HTTP, file, DB). Its raw-exec Python REPL was removed for safety. |
| 4 | AutoGPT | 185k | 4 | Gated | several exec paths, but Docker by default and host shell only if opted in. |
| 5 | AutoGen | 59.5k | 3 | Gated | local code execution, but ships a dangerous-command sanitiser and a Docker/cloud alternative. |
| 6 | browser-use | 103k | ~10 | Live session | drives a real logged-in browser — click, navigate, upload. A poisoned page sits one hop from a real action. |
| 7 | crewAI | 55k | 3 | Mixed | file write to a model-supplied path; its code-exec tooling leans sandboxed. |
| 8 | LlamaIndex | 50.7k | 1 | Opt-in | a subprocess code interpreter the maintainers themselves flag as not for production. |
| 9 | OpenAI Agents SDK | 27.7k | 3 | Sandboxed | shell bound to a sandboxed, scoped session, with a human-in-the-loop example in the repo. Safest of the shell-capable set. |
| 10 | Semantic Kernel | 28.3k | 1 | Off-host | Python execution runs off-host in a remote pool — no local host exec. |
Counts are verified lower bounds from the primary executor and tool files. A framework’s true surface is at least what we describe here.
What we measured, and what we did not
We verified each repository via the GitHub API, located the real executor code, and read the source. We counted only concrete affordances that carry an agent from thinking to doing — shell and subprocess exec, code eval, file writes, a live authenticated browser. We are not scoring code quality, and this is not a scoreboard of shame. It is a point-in-time reading of shipped defaults, correctable in the open.
The honest part
A big action surface is not a flaw. An agent that cannot act is a chatbot. The interesting signal is not who has a surface, but who has already started securing it — and several of these teams visibly are. LangChain pulled its raw exec REPL. AutoGPT and AutoGen default to Docker. OpenAI binds shell to a sandbox. Semantic Kernel runs code off-host. Credit where it is due.
Why one shared layer
Every team here is doing per-framework what should exist once, as a layer. A consistent control point in front of every dangerous action, whichever framework a builder picked. Untrusted input is one hop from a real send or pay. That control point is what Hermes Shield builds.
Your agent has this surface too.
Whichever framework you built on, your agent can reach tools that untrusted text can trigger. We’re building the shared control point that sits in front of those actions, and letting builders in slowly. Register interest and we’ll bring you in as it opens.
Register InterestMethod date 2026-07-05. Star counts via the GitHub REST API, same date. Read-only analysis of public source. Findings are point-in-time; frameworks evolve. Framework names are third-party marks, cited neutrally, not an endorsement. Corrections welcome — if we’ve mis-cited your framework, tell us and we’ll fix it in the open.

