The Most Popular AI Agents Ship Without Provenance — Here's the List
If you pip install or npm install one of the most-starred AI agents on GitHub right now, chances are the package you get has no cryptographic link back to the source code you can see.
That means there is no publicly verifiable proof that the binary you're running was built from the repo you're reading. The install could match. It probably does. But you're trusting the maintainer's CI pipeline, their PyPI/npm credentials, and everyone in between — on faith.
We checked the 10 most-starred AI agents we track. Eight of them ship without any form of build provenance.
The list
| Agent | Stars | Provenance | HVTrust Rank |
|---|---|---|---|
| OpenClaw | 375k | None | #74 |
| AutoGPT | 184k | None | #39 |
| opencode | 167k | None | #127 |
| Langflow | 148k | None | #51 |
| Dify | 143k | None | #33 |
| LangChain | 138k | None | #24 |
| Claude Code | 127k | None | #101 |
| Firecrawl | 126k | None | #47 |
| Gemini CLI | 104k | None | #63 |
| Browser Use | 96k | None | #66 |
Combined: over 1.6 million GitHub stars, zero build attestations.
Who actually does it?
Of the 172 agents we track, the ones that do publish provenance tend to rank disproportionately high — not because we reward it directly, but because projects that care about provenance also tend to care about signed commits, OSSF Scorecard, and disclosure policies. Trust signals cluster.
| Agent | Stars | Provenance | HVTrust Rank |
|---|---|---|---|
| LangGraph | 33k | Verified | #1 |
| PydanticAI | 17k | Verified | #2 |
| Vercel AI SDK | 24k | Verified | #3 |
| OpenAI Agents SDK | 26k | Verified | #4 |
| Haystack | 25k | Verified | #5 |
| n8n | 190k | Verified | #6 |
LangGraph is #1 with 33k stars. AutoGPT has 5x the stars and ranks #39. The difference is not popularity — it's verifiability.
Why this matters for AI agents specifically
This would be a concern for any open-source dependency. But AI agents are different in one important way: they execute code, call APIs, access tools, and increasingly spend money on your behalf.
If a compromised package gets pushed to PyPI for a logging library, the blast radius is data exfiltration. If a compromised package gets pushed for an AI agent with tool access, the blast radius is "whatever that agent was authorized to do" — which in production environments is often a lot.
Build provenance doesn't prevent compromise. But it makes compromise detectable. Without it, you're trusting the gap between "source on GitHub" and "binary on the registry" is clean, and you have no way to check.
What provenance actually means
Package provenance is a cryptographic attestation — typically via SLSA or PEP 740 — that links the published package back to a specific commit, build system, and CI workflow. npm and PyPI both support it now. GitHub Actions makes it straightforward to enable.
It's not hard. It's just not done. Which is the uncomfortable part.
Check your agent's trust profile
We track provenance, OSSF Scorecard, signed commits, and 10+ other signals for 172 open-source AI agents. Updated daily.
Browse the trust registryData from HVTracker signals as of May 30, 2026. Provenance is checked via npm registry attestations and PyPI PEP 740 metadata. Full methodology.