Coding Agents Ranked by Trust, Not Stars — The Results Are Embarrassing

May 30, 2026 · 6 min read · HVTracker Research

Everyone knows which coding agents are popular. opencode has 167k stars. Claude Code has 127k. Gemini CLI hit 104k in weeks. But popularity and trustworthiness are different questions, and when you ask the second one, the leaderboard flips.

We rank 172 open-source AI agents by HVTrust — a composite of supply-chain signals weighted so that harder-to-fake evidence (OSSF Scorecard, provenance, signed commits) counts more than stars. Here's what the coding agent category looks like when you sort by trust instead of GitHub hype.

The table nobody wants to see

Agent	Stars	Trust Rank	Trust Score	Provenance	Signed
Cline	62k	#10	88.5	Verified	91%
OpenHands	75k	#31	72.0	None	100%
Codex	86k	#36	70.3	None	100%
Gemini CLI	104k	#63	66.9	None	100%
Goose	46k	#56	67.5	None	100%
Open Interpreter	63k	#80	61.3	None	41%
Claude Code	127k	#101	55.5	None	18%
Aider	45k	#102	54.6	None	16%
GPT Pilot	33k	#122	43.9	None	1%
opencode	167k	#127	42.1	None	70%

opencode — the most-starred coding agent — ranks #127 out of 172. That's not a rounding error. It's a project with 167k stars, no provenance, no OSSF Scorecard, and a Grade D evidence rating. The signals we can verify are thin.

GPT Pilot has 1% signed commits. One percent. Out of the last 100 commits, one was verified-signed.

Claude Code — Anthropic's own agent — ranks #101 with 18% signed commits and no provenance. Being built by a major AI lab doesn't automatically translate to supply-chain hygiene.

The one that gets it right

Cline

Stars: 62k

HVTrust Rank: #10

Provenance: Verified (npm)

Signed commits: 91%

Scorecard: 6.1/10

Security Policy: 10/10

opencode

Stars: 167k

HVTrust Rank: #127

Provenance: None

Signed commits: 70%

Scorecard: N/A

Security Policy: N/A

Cline is the only coding agent in the global top 10. It ships npm provenance, maintains 91% signed commits, has a security policy, and scores 6.1/10 on the OSSF Scorecard. It's not the most popular coding agent. It's the most verifiable one.

The pattern

Across all 172 agents we track, the correlation between stars and trust score is weak. Projects that rank high on trust tend to share three traits:

They publish build provenance — linking the package on the registry back to a specific commit and CI run.
They sign their commits — not just one or two, but consistently across the team.
They have an OSSF Scorecard — branch protection, dependency updates, code review policies.

These are not exotic requirements. They're table stakes for any serious dependency. But in the AI agent ecosystem, most projects haven't gotten there yet — even the ones with six-figure star counts.

This is not a hit piece. Every project listed here is open-source, actively developed, and useful. Low trust scores reflect missing verifiable evidence, not poor intent. Many of these gaps are straightforward to close — enable Scorecard, sign commits, publish provenance. The agents that have done it rank accordingly.

Compare any two agents head-to-head

See the full signal breakdown side by side.

Compare Cline vs...

Data from HVTracker signals as of May 30, 2026. Rankings change daily as signals refresh. Full methodology. View all coding agents.