What is package provenance for AI agents?

Package provenance is a cryptographic attestation (via SLSA or PEP 740) that links a published npm or PyPI package back to a specific commit, build system, and CI workflow in the source repository. It lets you verify the package you installed was actually built from the code you can read on GitHub.

How many AI agents have package provenance?

As of June 2026, only 31 out of 178 AI agents tracked by HVTracker (17%) publish build provenance attestations. The remaining 147 agents have no cryptographic proof linking their published packages to their source code.

Why does provenance matter more for AI agents than regular packages?

AI agents execute code, call APIs, access tools, read files, and increasingly spend money on your behalf. A compromised logging library leaks data. A compromised AI agent does whatever it was authorized to do — browse the web, write files, make API calls, execute shell commands. The blast radius is fundamentally larger.

You're Not Installing What You Think You Are

June 2, 2026 · 6 min read · HVTracker Research

Run pip install litellm right now. You'll get a package with 122 million weekly downloads. You can read every line of the source code on GitHub. Everything looks legitimate.

But here's what you can't do: prove that the package you just installed was actually built from that source code.

There is no cryptographic attestation, no build provenance, no SLSA signature — nothing that links the binary on PyPI to the commit on GitHub. The install probably matches. But "probably" is doing a lot of heavy lifting when the thing you're installing can execute shell commands, call APIs, and access your files.

83%

of the 178 AI agents we track ship without build provenance

Downloads are not trust

This is the part most people get wrong. They see "122M weekly downloads" and think that's a safety signal. It's not. Downloads tell you how popular something is. They tell you absolutely nothing about whether the package on the registry was built from the source you're reading.

Here are the most-downloaded AI agent packages that ship with zero provenance:

Agent	Weekly Downloads	Stars	Provenance
LiteLLM	122M	48.9k	None
LangChain	77M	138.2k	None
Weaviate	35M	16.3k	None
Browser Use	8.8M	96.5k	None
Claude Code	8.7M	129.3k	None
Google ADK	7.9M	19.9k	None
Flowise	6.4M	53.3k	None
Qdrant	5.1M	31.7k	None
Langfuse	4.9M	28.3k	None
Composio	3.6M	10.6k	None

Combined: over 280 million weekly installs with no way to verify the build.

Think about what these tools do. LiteLLM proxies your API keys to LLM providers. Browser Use controls your browser. Claude Code executes shell commands. These aren't passive libraries — they're active agents with real permissions. The gap between "source on GitHub" and "binary on the registry" matters more here than anywhere.

The ones who actually do it

31 out of 178 agents we track publish build provenance. And here's the pattern that's hard to ignore: they dominate the top of our trust rankings.

Agent	Weekly Downloads	Stars	Provenance	HVTrust Rank
n8n	218M	190.6k	Verified	#6
LangGraph	15.6M	33.6k	Verified	#1
Codex	13.6M	87.6k	Verified	#3
Vercel AI SDK	13.0M	24.6k	Verified	#4
PydanticAI	9.6M	17.4k	Verified	#2
OpenAI Agents SDK	6.1M	26.8k	Verified	#5
Cline	4.2M	62.6k	Verified	#7
CopilotKit	240k	31.9k	Verified	#38

The top 7 agents on HVTracker all have verified provenance. That's not a coincidence — it's a signal. Projects that bother with build attestations also tend to sign commits, run OSSF Scorecard, and maintain security policies. Trust signals cluster.

What's actually in the gap

When a package ships without provenance, here's what sits between the source code and your machine — unverified:

The maintainer's local machine or CI pipeline → their registry credentials → the registry's build storage → your pip install.

At any of those steps, the package could be modified. A compromised CI secret. A hijacked npm/PyPI token. A supply chain attack on a build dependency. Without provenance attestation, you have no way to detect any of these after the fact.

With provenance, you can run npm audit signatures or check pip inspect attestations and get a cryptographic chain: this package was built at this commit, by this CI workflow, from this repo. If anything doesn't match, you know.

Why AI agents are different

When someone compromises a date-formatting library, the worst case is data exfiltration through a dependency. Bad, but bounded.

When someone compromises an AI agent, the worst case is whatever that agent was authorized to do:

Coding agents can read and write files, execute terminal commands
Browser agents can navigate, click, fill forms, extract data
Workflow agents can call external APIs, move data between services
Research agents can scrape, summarize, and exfiltrate content

The blast radius of a compromised AI agent is categorically larger than a compromised utility library. And yet 83% of them ship with the same level of supply chain verification as a left-pad clone: none.

It's not hard to fix

Both npm and PyPI support provenance attestation today. If your project uses GitHub Actions (and most do), enabling it is a configuration change — not a rewrite:

npm: Add --provenance to your publish command. Done.
PyPI: Use the pypa/gh-action-pypi-publish action with attestations enabled.

CopilotKit added provenance and their trust score jumped from the 60s to 75. It's one of the highest-leverage trust improvements a maintainer can make.

Not an accusation. Missing provenance doesn't mean a project is compromised. It means you can't independently verify that it isn't. For most packages, that's an acceptable risk. For an AI agent with tool access and API keys? You should at least know the gap exists.

Check if your agent has provenance

We track build provenance, OSSF Scorecard, signed commits, and 10+ other trust signals across hundreds of AI agents. Updated daily.

Browse the trust registry

Data from HVTracker signals as of June 2, 2026. Provenance is checked via npm registry attestations and PyPI PEP 740 metadata. Download counts from npm and PyPI APIs. Full methodology.