Is Weights & Biases Weave safe?
Weights & Biases Weave scores 86.6/100 (Grade A), ranked #18 of 328 tracked open-source AI agent projects, on evidence coverage A (4 of 5 independent signal types).
The public evidence: its packages ship with cryptographic provenance;
OSSF Scorecard rates its supply-chain practices 6.5/10;
98% of recent commits are signed;
last pushed 2026-07-11. Every point is earned from checkable signals — never paid placement. How scoring works →
Quick Trust Read
Verdict
Strong public trust posture, backed by multiple independent signals.
86.6/100 · Grade A
Strongest Signal
Identity / Provenance
18.0/18
Weakest Signal
Adoption
15.0/20
What Would Improve It
Improve adoption to lift the weakest part of the trust profile.
Recent Changes
2026-06-26
Rank Moved
Rank rose 10 spots (#29 → #19)
Maintainer Checklist
Raise Scorecard signalsCurrent OSSF Scorecard is 6.5/10. Tighten the weakest checks to improve public safety evidence.
How to read this: HVTrust (0–100) weighs supply-chain signals (provenance, OSSF Scorecard, signed commits, open license) alongside real-world adoption. Grade A reflects the trust score band: A ≥ 80, B ≥ 65, C ≥ 50, D < 50. Evidence coverage A is separate — it grades how many independent signal types back the score (4 of 5), so a high score on thin evidence stays visible. Full methodology →
Signals refreshed2026-07-11 04:00 UTC·Repo last pushed today
Rank Trend
2026-07-052026-07-11
Activity & Reach
Stars
1.1k
Forks
157
Last Push
2026-07-11
today
Commits (4 wk)
276
Downloads (7d)
611,935
npm+pypi
HN mentions (30d)
0
Open Issues
78
Rank Change
▲1
was #19
Analysis
HVTrust Dimensions
86.6 / 100 · 100.0% confidence
Safety / IntegrityOSSF, provenance, signatures
20.5 / 25
Identity / ProvenanceListing and build link
18.0 / 18
TransparencyLicense and public checks
14.0 / 17
MaintenanceFreshness and commits
20.0 / 20
AdoptionStars and downloads
15.0 / 20
Activity Inputs
78.5 / 100
StarsRepository reach
18.3 / 30
FreshnessLast push recency
25.0 / 25
ActivityRecent commits
25 / 25
CommunityFork signal
10.2 / 20
Supply Chain Trust
Package Provenance
Verified
npm, pypi attestation
OSSF Scorecard
6.5 / 10
OpenSSF Scorecard · scanned Jul 10, 2026
Signed Commits
98%
of last 100 commits verified
Binary-Artifacts10
Branch-Protection4
CI-Tests10
CII-Best-Practices0
Code-Review10
Contributors10
Dangerous-Workflow10
Dependency-Update-Tool10
Fuzzing0
License10
Maintained10
Packaging10
Pinned-Dependencies5
SAST0
Security-Policy10
Signed-Releases-1
Token-Permissions0
Vulnerabilities0
Is Weights & Biases Weave safe?
Public supply-chain signals for Weights & Biases Weave are strong: it has multiple independent trust indicators in place. This does not replace your own security review, but Weights & Biases Weave carries less obvious unverified-evidence risk than projects with thin signals.
Does Weights & Biases Weave publish package provenance?
Yes. Weights & Biases Weave's package releases carry build provenance attestations, which cryptographically link the published package back to its source repository and CI workflow.
Does Weights & Biases Weave have an OpenSSF Scorecard?
Weights & Biases Weave has an OpenSSF Scorecard score of 6.5/10. The Scorecard checks for branch protection, signed releases, dependency updates, fuzzing, code review, and other supply-chain hygiene items. See the full check breakdown on this page.
Is Weights & Biases Weave actively maintained?
Actively maintained. The repository was pushed to within the last 1 day(s).
What license does Weights & Biases Weave use?
Weights & Biases Weave ships under Apache-2.0. A declared, OSI-approved license is one of the transparency signals HVTrust scores.
Are Weights & Biases Weave's commits signed?
98% of the last 100 commits to Weights & Biases Weave are verified-signed (GPG, SSH, S/MIME, or GitHub's signing flow). Signed commits help confirm that code was authored by who the commit claims.
Not a safety endorsement. HVTracker describes what public signals show, not whether a project is safe for your use case. Run your own security review before adopting in production.
These runtime-trust fields — detected from public repo docs and manifests — contribute a bounded adjustment to this project's HVTrust score alongside supply-chain evidence. The exact values each field can add or subtract are documented in the methodology → Compare this surface across every listed agent in the capability matrix →
MCP Server Support
high confidence
Implemented
Weights & Biases Weave appears to expose MCP server capabilities.
Detailed evidence is not shown in the public view.
Credential signal:
No explicit API-key/config marker detected.
Tool / Plugin Surface
high confidence
3 tags
Broad capability areas detected.
code
database
shell
Detailed evidence is not shown in the public view.
Package Provenance Drift
medium confidence
Partial
Some package metadata matches; some source metadata is missing
Detailed evidence is not shown in the public view.
MCP signal live
External deps live
Tool / plugin surface live
Package provenance drift live
How this surface has changed
Detected changes to Weights & Biases Weave's runtime surface and supply-chain posture, from daily public-signal snapshots. A change here means our detectors see something different — a genuinely changed capability, or better evidence of an existing one.
Detected MCP server support changed: none → implemented
Maintain Weights & Biases Weave?
HVTrust scores Weights & Biases Weave from public signals only — we never contact maintainers first. If a signal is wrong, stale, or missing (provenance you publish, a Scorecard you run, signed releases), tell us and we'll review it. Corrections are public and tracked on GitHub.