The C+ Problem
We scanned 101 AI agents from the most popular frameworks. The results should worry you.
Not because the agents are catastrophically broken — they're not. But because the industry average is C+, and that's not good enough. Not when agents have shell access, API keys, and the ability to delegate to sub-agents.
This isn't theoretical. These are production agents. Real deployments. Running on real infrastructure with access to real data.
Grade Distribution
62% of agents scored a C. Not failing. Not excellent. Just… mediocre. And in security, mediocre is a liability.
🚨 The Trust Scoring Crisis
This is the #1 blind spot in the entire agent ecosystem:
38% of agents fail trust scoring entirely. Only 7% fully pass.
Here's what that means: When an agent delegates to a sub-agent, almost nobody verifies the sub-agent is trustworthy. No reputation checks. No behavioral validation. No attestation chain.
This is how supply chain attacks will happen. An attacker compromises one agent. That agent spawns sub-agents. Those sub-agents inherit capabilities but not constraints. The compromise spreads.
"Trust scoring is covered by Patent #4 — Inherited Behavioral Context (IBC). This is our core thesis."
🔐 The Sensitive Data Problem
When your agent has access to API keys, credentials, and PII, proper data masking isn't optional. It's mandatory.
Only 37% of agents fully pass sensitive data masking. Another 52% have partial coverage. 6% outright fail.
Partial coverage means the agent might mask API keys in logs but not in memory dumps. Or mask credit cards but not SSNs. Or mask data at rest but not in transit.
This is a ticking time bomb.
Category Breakdown
We tested 27 security checks across 6 categories. Here's how agents performed in each:
Security Categories (Weakest to Strongest)
The weakest category? Permissions & Access Control. This is foundational stuff — who can do what, when, and under what conditions. If you don't get this right, nothing else matters.
The strongest category? Supply Chain Integrity. Most frameworks at least attempt dependency verification, package signing, and reproducible builds. Not perfect, but better than the rest.
🔥 Top 10 Most Common Failures
Notice a pattern? The failures cluster around delegation, trust, and data handling. The exact areas where agents get autonomy.
Framework Comparison
Which frameworks are most secure? We grouped agents by their underlying framework and calculated average scores:
Average Security Score by Framework
| Framework | Avg Score | Grade | Agents |
|---|---|---|---|
| Anthropic tools | 84.0 | B | 1 |
| HuggingFace | 83.0 | B | 1 |
| Microsoft | 82.5 | B | 2 |
| LlamaIndex | 81.0 | B | 1 |
| 81.0 | B | 1 | |
| OpenAI | 80.0 | B | 1 |
| Haystack | 79.0 | B | 1 |
| LangChain | 78.2 | C+ | 4 |
| Custom/Other | 77.1 | C+ | 84 |
| CrewAI | 76.5 | C+ | 2 |
| Autogen | 76.0 | C+ | 1 |
| OpenClaw | 75.0 | C | 1 |
| AutoGPT | 68.0 | D+ | 1 |
Key findings:
- Big tech frameworks (Anthropic, Microsoft, Google, OpenAI) score highest — but none break into the A range.
- Custom-built agents (84 of 101) average C+. Builders rolling their own security often miss critical checks.
- LangChain, the most popular framework, scores 78.2 (C+) — right at the industry average.
- OpenClaw (our own platform) scores 75.0 (C). We're working on it.
The Best and The Worst
What separates the top 5 most secure agents from the bottom 5?
🏆 Top 5 Most Secure
⚠️ Bottom 5 (Riskiest)
💡 Common Patterns
Top performers: Security-focused agents built specifically for auditing, scanning, or sandboxing. They implement comprehensive logging, strict permission models, and full trust scoring.
Bottom performers: Self-evolving agents, desktop control agents, and code execution loops. High autonomy + low constraints = high risk.
The pattern is clear: Agents designed to be powerful without constraints are the most dangerous.
What This Means
The agent security gap is real and measurable. It's not theoretical. It's not hypothetical. It's documented in 101 real-world agents.
As agents get more autonomy — shell access, API calls, sub-agent delegation, multi-agent collaboration — a C+ security posture isn't good enough.
"A C+ is passing in school. In production security, it's a liability waiting to be exploited."
Here's what worries us most:
- Trust scoring is almost universally broken. 93% of agents don't fully implement it.
- Sub-agent safety is weak. Capabilities propagate, constraints don't.
- Sensitive data handling is inconsistent. Only 37% get it right.
- Custom-built agents have no baseline. 84 of 101 agents are custom — and they average C+.
This isn't an indictment of any single framework or builder. It's a systemic issue. The ecosystem hasn't prioritized security at the architecture level.
🛠️ How to Fix It
Practical recommendations based on the most common failures:
The good news? These problems are solvable. The architecture exists. The patents are filed. The tools are being built.
The bad news? Most agents aren't implementing them yet.
📋 Methodology & Transparency
What we tested: 101 agents across 13 frameworks, evaluated against 27 security checks in 6 categories.
How we tested: Automated scans using The Pitstop CLI + manual verification of borderline cases. Each check scored as Pass (100%), Partial (50%), or Fail (0%).
Limitations: This audit reflects agent configurations at scan time (March-April 2026). Security is a moving target — agents may have been updated since. We also can't detect every vulnerability — just the ones we know to look for.
Bias disclosure: We built The Pitstop. We filed the patents. We have a business interest in agent security. That said, the data is real, the methodology is transparent, and the recommendations are practical regardless of who you use for scanning.
Get scanned. Know your vulnerabilities.
The Pitstop scans AI agents for all 27 security checks documented in this report. Web scan or CLI. Both free. Both comprehensive.
Author: The Pitstop Research Team
Date: April 30, 2026
Agents Scanned: 101 agents across 13 frameworks (March-April 2026)
Related Patents: US 64/034,176 (Infinity Protocol) | US 64/034,996 (KarmaTokens) | US 64/040,161 (Sub-Agent Trust / IBC)