We Scanned 101 AI Agents. The Average Security Grade? C+.

The first independent security audit of the AI agent ecosystem. 101 agents, 27 security checks, 13 frameworks. Here's what we found.

🏎️ The Pitstop Research Team 📅 April 30, 2026 ⏱️ 15 min read

The C+ Problem

We scanned 101 AI agents from the most popular frameworks. The results should worry you.

Not because the agents are catastrophically broken — they're not. But because the industry average is C+, and that's not good enough. Not when agents have shell access, API keys, and the ability to delegate to sub-agents.

This isn't theoretical. These are production agents. Real deployments. Running on real infrastructure with access to real data.

0
Agents Scanned
0/100
Average Score (C+)
0
Security Checks
0
Frameworks Tested

Grade Distribution

A
1%
1 agent
B
31%
31 agents
C
62%
63 agents
D
6%
6 agents
F
0%
0 agents

62% of agents scored a C. Not failing. Not excellent. Just… mediocre. And in security, mediocre is a liability.

🚨 The Trust Scoring Crisis

This is the #1 blind spot in the entire agent ecosystem:

0%
Outright fail trust scoring
0%
Fully pass trust scoring
0%
Don't fully implement trust scoring

38% of agents fail trust scoring entirely. Only 7% fully pass.

Here's what that means: When an agent delegates to a sub-agent, almost nobody verifies the sub-agent is trustworthy. No reputation checks. No behavioral validation. No attestation chain.

This is how supply chain attacks will happen. An attacker compromises one agent. That agent spawns sub-agents. Those sub-agents inherit capabilities but not constraints. The compromise spreads.

"Trust scoring is covered by Patent #4 — Inherited Behavioral Context (IBC). This is our core thesis."

🔐 The Sensitive Data Problem

When your agent has access to API keys, credentials, and PII, proper data masking isn't optional. It's mandatory.

Only 37% of agents fully pass sensitive data masking. Another 52% have partial coverage. 6% outright fail.

Partial coverage means the agent might mask API keys in logs but not in memory dumps. Or mask credit cards but not SSNs. Or mask data at rest but not in transit.

This is a ticking time bomb.

Category Breakdown

We tested 27 security checks across 6 categories. Here's how agents performed in each:

Security Categories (Weakest to Strongest)

1. Permissions & Access Control 74.2/100
2. Sub-Agent Safety 74.9/100
3. Data Exfiltration Prevention 76.6/100
4. Prompt Injection Defense 81.2/100
5. Audit & Logging 83.1/100
6. Supply Chain Integrity 83.7/100

The weakest category? Permissions & Access Control. This is foundational stuff — who can do what, when, and under what conditions. If you don't get this right, nothing else matters.

The strongest category? Supply Chain Integrity. Most frameworks at least attempt dependency verification, package signing, and reproducible builds. Not perfect, but better than the rest.

🔥 Top 10 Most Common Failures

#1
Trust Scoring
38% fail — Only 7% fully pass. 93% of agents have weak or no trust scoring.
#2
Delegation Limits
10% fail, 56% partial — Only 34% fully control sub-agent delegation.
#3
File System Permissions
9% fail — Agents with overly broad file access.
#4
Outbound Allowlist
8% fail — No control over which external services agents can contact.
#5
SSRF Protection
8% fail — Server-Side Request Forgery vulnerabilities present.
#6
Plugin Allowlist
7% fail — Agents can load arbitrary plugins without approval.
#7
Behavioral Inheritance
7% fail — Sub-agents don't inherit parent safety constraints.
#8
Subagent Output Review
7% fail, 78% partial — Only 15% fully verify sub-agent results.
#9
Tool Restrictions
6% fail — No limits on which tools agents can invoke.
#10
Sensitive Data Masking
6% fail, 52% partial — Only 37% fully mask credentials and PII.

Notice a pattern? The failures cluster around delegation, trust, and data handling. The exact areas where agents get autonomy.

Framework Comparison

Which frameworks are most secure? We grouped agents by their underlying framework and calculated average scores:

Average Security Score by Framework

Framework Avg Score Grade Agents
Anthropic tools 84.0 B 1
HuggingFace 83.0 B 1
Microsoft 82.5 B 2
LlamaIndex 81.0 B 1
Google 81.0 B 1
OpenAI 80.0 B 1
Haystack 79.0 B 1
LangChain 78.2 C+ 4
Custom/Other 77.1 C+ 84
CrewAI 76.5 C+ 2
Autogen 76.0 C+ 1
OpenClaw 75.0 C 1
AutoGPT 68.0 D+ 1

Key findings:

The Best and The Worst

What separates the top 5 most secure agents from the bottom 5?

🏆 Top 5 Most Secure

MCP Config Scanner
90/100
Agent Security Toolkit
89/100
Terminal Security Scanner
88/100
Skill Security Auditor
87/100
OpenSandbox Alibaba
85/100

⚠️ Bottom 5 (Riskiest)

GenericAgent Self-Evolving
64/100
CowAgent
65/100
Ralph Claude Code Loop
66/100
CUA Desktop Control
67/100
AutoGPT Platform
68/100

💡 Common Patterns

Top performers: Security-focused agents built specifically for auditing, scanning, or sandboxing. They implement comprehensive logging, strict permission models, and full trust scoring.

Bottom performers: Self-evolving agents, desktop control agents, and code execution loops. High autonomy + low constraints = high risk.

The pattern is clear: Agents designed to be powerful without constraints are the most dangerous.

What This Means

The agent security gap is real and measurable. It's not theoretical. It's not hypothetical. It's documented in 101 real-world agents.

As agents get more autonomy — shell access, API calls, sub-agent delegation, multi-agent collaboration — a C+ security posture isn't good enough.

"A C+ is passing in school. In production security, it's a liability waiting to be exploited."

Here's what worries us most:

This isn't an indictment of any single framework or builder. It's a systemic issue. The ecosystem hasn't prioritized security at the architecture level.

🛠️ How to Fix It

Practical recommendations based on the most common failures:

🎯
Implement Trust Scoring (Patent #4)
Before delegating to a sub-agent, verify trust. Check reputation, behavioral history, resource usage patterns. Don't blindly execute.
🔐
Mask Sensitive Data at Every Layer
API keys, credentials, PII — mask them in logs, memory dumps, error messages, and telemetry. Partial coverage isn't enough.
🚧
Enforce Delegation Limits
How many sub-agents can spawn? How deep can the chain go? Set hard limits. Otherwise, one compromised agent becomes many.
📂
Restrict File System Access
Agents don't need full filesystem access. Scope permissions to specific directories. Use allowlists, not denylists.
🌐
Implement Outbound Allowlists
Which external services can your agent contact? Define an allowlist. Block everything else. Prevents SSRF and data exfiltration.
📦
Control Plugin Loading
Don't let agents load arbitrary plugins. Maintain a curated plugin registry. Verify signatures. Audit new additions.
🧬
Enforce Behavioral Inheritance (IBC)
When a sub-agent spawns, it inherits capabilities AND constraints. Safety rules propagate. Not as suggestions — as cryptographically enforced boundaries.
Review Sub-Agent Output
Don't blindly trust sub-agent results. Verify outputs before acting on them. Check for anomalies. Log everything.
📊
Comprehensive Logging & Audit Trails
Every action, every decision, every delegation — log it. Immutable audit trails. Post-execution verification. Accountability from day one.
🏎️
Scan Your Agent
Use The Pitstop to identify vulnerabilities before attackers do. Web scan or CLI. Both free. Both comprehensive.

The good news? These problems are solvable. The architecture exists. The patents are filed. The tools are being built.

The bad news? Most agents aren't implementing them yet.

📋 Methodology & Transparency

What we tested: 101 agents across 13 frameworks, evaluated against 27 security checks in 6 categories.

How we tested: Automated scans using The Pitstop CLI + manual verification of borderline cases. Each check scored as Pass (100%), Partial (50%), or Fail (0%).

Limitations: This audit reflects agent configurations at scan time (March-April 2026). Security is a moving target — agents may have been updated since. We also can't detect every vulnerability — just the ones we know to look for.

Bias disclosure: We built The Pitstop. We filed the patents. We have a business interest in agent security. That said, the data is real, the methodology is transparent, and the recommendations are practical regardless of who you use for scanning.

Get scanned. Know your vulnerabilities.

The Pitstop scans AI agents for all 27 security checks documented in this report. Web scan or CLI. Both free. Both comprehensive.

Quick CLI install (click to copy):
$ curl -sSL https://api.thepitstop.ai/scan.sh | bash

Author: The Pitstop Research Team

Date: April 30, 2026

Agents Scanned: 101 agents across 13 frameworks (March-April 2026)

Related Patents: US 64/034,176 (Infinity Protocol) | US 64/034,996 (KarmaTokens) | US 64/040,161 (Sub-Agent Trust / IBC)

← Back to Blog