LibVulnWatch: Vulnerability Assessment Leaderboard
LibVulnWatch – Continuous, Multi-Domain Risk Scoring for AI Libraries
As presented at the ACL 2025 Student Research Workshop and the ICML 2025 Technical AI Governance (TAIG) workshop, LibVulnWatch provides an evidence-based, end-to-end pipeline that uncovers hidden vulnerabilities in open-source AI libraries across five governance-aligned domains:
• License Validation – compatibility, provenance, obligations
• Security Assessment – CVEs, patch latency, exploit primitives
• Maintenance Health – bus-factor, release cadence, contributor diversity
• Dependency Management – transitive risk, SBOM completeness
• Regulatory Compliance – privacy/export controls, policy documentation
In the paper we apply the framework to 20 popular libraries, achieving 88 % coverage of OpenSSF Scorecard checks and surfacing up to 19 previously-unreported risks per library.
Lower scores indicate lower risk, and the Trust Score is the equal-weight average of the five domains.
{
- "headers": [
- "assessment_id",
- "Type",
- "T",
- "Language",
- "Framework",
- "Library",
- "Version",
- "Trust Score",
- "License",
- "GitHub ⭐",
- "Last Update",
- "Verified",
- "Active Maintenance",
- "Report",
- "License Rating",
- "Security Rating",
- "Maintenance Rating",
- "Dependency Rating",
- "Regulatory Rating",
- "_languages_list",
- "_maintenance_filter"
- "data": [
- [
- "pydantic_pydantic-ai_v0.3.2",
- "Agent Framework",
- "⭕",
- "Python",
- "Agent Framework",
- "<a href="https://github.com/pydantic/pydantic-ai" target="_blank">pydantic/pydantic-ai</a>",
- "v0.3.2",
- 3,
- "MIT",
- 10400,
- "2024-06-08",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/pydantic_pydantic-ai_v0.3.2.html" target="_blank">View Report</a>",
- 5,
- 3,
- 3,
- 2,
- 2,
- [
- "Python"
- "Active"
- [
- "browser-use_browser-use_v0.3.2",
- "Agent Framework",
- "⭕",
- "Python",
- "Agent Framework",
- "<a href="https://github.com/browser-use/browser-use" target="_blank">browser-use/browser-use</a>",
- "v0.3.2",
- 3,
- "MIT",
- 3200,
- "2024-06-09",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/browser_use_browser-use_v0.3.2.html" target="_blank">View Report</a>",
- 5,
- 3,
- 3,
- 2,
- 2,
- [
- "Python"
- "Active"
- [
- "jax-ml_jax_v0.4.23",
- "ML Framework",
- "🟢",
- "Python",
- "ML Framework",
- "<a href="https://github.com/jax-ml/jax" target="_blank">jax-ml/jax</a>",
- "v0.4.23",
- 2.8,
- "Apache-2.0",
- 32604,
- "2024-06-24",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/jax-ml_jax_v0.4.23.html" target="_blank">View Report</a>",
- 5,
- 3,
- 4,
- 1,
- 1,
- [
- "Python"
- "Active"
- [
- "huggingface_transformers_v4.52.4",
- "ML Framework",
- "🟢",
- "Python",
- "ML Framework",
- "<a href="https://github.com/huggingface/transformers" target="_blank">huggingface/transformers</a>",
- "v4.52.4",
- 2.8,
- "Apache-2.0",
- 146000,
- "2024-06-22",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/huggingface_transformers_v4.52.4.html" target="_blank">View Report</a>",
- 5,
- 1,
- 4,
- 1,
- 3,
- [
- "Python"
- "Active"
- [
- "tensorflow_tensorflow_v2.19.0",
- "ML Framework",
- "🟢",
- "C++/Python",
- "ML Framework",
- "<a href="https://github.com/tensorflow/tensorflow" target="_blank">tensorflow/tensorflow</a>",
- "v2.19.0",
- 2.6,
- "Apache-2.0",
- 190000,
- "2024-06-23",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/tensorflow_tensorflow_v2.19.0.html" target="_blank">View Report</a>",
- 5,
- 1,
- 3,
- 1,
- 3,
- [
- "C++",
- "Python"
- "Active"
- [
- "pytorch_pytorch_v2.7.1",
- "ML Framework",
- "🟢",
- "C++/Python",
- "ML Framework",
- "<a href="https://github.com/pytorch/pytorch" target="_blank">pytorch/pytorch</a>",
- "v2.7.1",
- 2.6,
- "BSD-3-Clause",
- 91000,
- "2024-06-25",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/pytorch_pytorch_v2.7.1.html" target="_blank">View Report</a>",
- 5,
- 1,
- 3,
- 1,
- 3,
- [
- "C++",
- "Python"
- "Active"
- [
- "onnx_onnx_v1.18.0",
- "ML Framework",
- "🟢",
- "C++/Python",
- "ML Framework",
- "<a href="https://github.com/onnx/onnx" target="_blank">onnx/onnx</a>",
- "v1.18.0",
- 2.6,
- "MIT",
- 19100,
- "2024-06-22",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/onnx_onnx_v1.18.0.html" target="_blank">View Report</a>",
- 4,
- 3,
- 3,
- 1,
- 2,
- [
- "C++",
- "Python"
- "Active"
- [
- "run-llama_llama_index_v0.12.43",
- "LLM Orchestration",
- "🟣",
- "Python",
- "LLM Orchestration",
- "<a href="https://github.com/run-llama/llama_index" target="_blank">run-llama/llama_index</a>",
- "v0.12.43",
- 2.4,
- "MIT",
- 42500,
- "2024-06-20",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/run-llama_llama_index_v0.12.43.html" target="_blank">View Report</a>",
- 4,
- 2,
- 3,
- 1,
- 2,
- [
- "Python"
- "Active"
- [
- "google_adk-python_v1.4.2",
- "Agent Framework",
- "⭕",
- "Python",
- "Agent Framework",
- "<a href="https://github.com/google/adk-python" target="_blank">google/adk-python</a>",
- "v1.4.2",
- 2.4,
- "MIT",
- 3800,
- "2024-06-07",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/google_adk-python_v1.4.2.html" target="_blank">View Report</a>",
- 4,
- 2,
- 3,
- 1,
- 2,
- [
- "Python"
- "Active"
- [
- "vllm-project_vllm_v0.9.1",
- "LLM Inference",
- "🟦",
- "Python/CUDA",
- "LLM Inference",
- "<a href="https://github.com/vllm-project/vllm" target="_blank">vllm-project/vllm</a>",
- "v0.9.1",
- 2.2,
- "Apache-2.0",
- 50600,
- "2024-06-18",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/vllm-project_vllm_v0.9.1.html" target="_blank">View Report</a>",
- 4,
- 2,
- 3,
- 1,
- 1,
- [
- "Python",
- "CUDA"
- "Active"
- [
- "nvidia_TensorRT_v10.12.0",
- "ML Framework",
- "🟢",
- "C++/Python",
- "ML Framework Inference",
- "<a href="https://github.com/nvidia/tensorrt" target="_blank">nvidia/TensorRT</a>",
- "v10.12.0",
- 2.2,
- "Proprietary with Open Components",
- 11700,
- "2024-06-21",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/nvidia_tensorrt_v10.12.0.html" target="_blank">View Report</a>",
- 3,
- 2,
- 3,
- 1,
- 2,
- [
- "C++",
- "Python"
- "Active"
- [
- "sgl-project_sglang_v0.4.7",
- "LLM Inference",
- "🟦",
- "Python/C++",
- "LLM Inference",
- "<a href="https://github.com/sgl-project/sglang" target="_blank">sgl-project/sglang</a>",
- "v0.4.7",
- 2.2,
- "Apache-2.0",
- 15400,
- "2024-06-19",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/sgl-project_sglang_v0.4.7.html" target="_blank">View Report</a>",
- 4,
- 2,
- 3,
- 1,
- 1,
- [
- "Python",
- "C++"
- "Active"
- [
- "langchain-ai_langchain_v0.3.66",
- "LLM Orchestration",
- "🟣",
- "Python",
- "LLM Orchestration",
- "<a href="https://github.com/langchain-ai/langchain" target="_blank">langchain-ai/langchain</a>",
- "v0.3.66",
- 2.2,
- "MIT",
- 111000,
- "2024-06-17",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/langchain-ai_langchain_v0.3.66.html" target="_blank">View Report</a>",
- 5,
- 1,
- 1,
- 1,
- 3,
- [
- "Python"
- "Active"
- [
- "crewAIInc_crewAI_v0.130.0",
- "Agent Framework",
- "⭕",
- "Python",
- "Agent Framework",
- "<a href="https://github.com/crewaiinc/crewai" target="_blank">crewAIInc/crewAI</a>",
- "v0.130.0",
- 2.2,
- "MIT",
- 8200,
- "2024-06-15",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/crewaiinc_crewai_v0.130.0.html" target="_blank">View Report</a>",
- 5,
- 1,
- 3,
- 1,
- 1,
- [
- "Python"
- "Active"
- [
- "huggingface_smolagents_v1.19.0",
- "Agent Framework",
- "⭕",
- "Python",
- "Agent Framework",
- "<a href="https://github.com/huggingface/smolagents" target="_blank">huggingface/smolagents</a>",
- "v1.19.0",
- 2,
- "MIT",
- 20500,
- "2024-06-12",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/huggingface_smolagents_v1.19.0.html" target="_blank">View Report</a>",
- 4,
- 2,
- 2,
- 1,
- 1,
- [
- "Python"
- "Active"
- [
- "FoundationAgents_MetaGPT_v0.8.1",
- "Agent Framework",
- "⭕",
- "Python",
- "Agent Framework",
- "<a href="https://github.com/foundationagents/metagpt" target="_blank">FoundationAgents/MetaGPT</a>",
- "v0.8.1",
- 2,
- "MIT",
- 56700,
- "2024-06-14",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/foundationagents_metagpt_v0.8.1.html" target="_blank">View Report</a>",
- 4,
- 2,
- 2,
- 1,
- 1,
- [
- "Python"
- "Active"
- [
- "ComposableHQ_composio_v0.7.19",
- "Agent Framework",
- "⭕",
- "Python",
- "Agent Framework",
- "<a href="https://github.com/composablehq/composio" target="_blank">ComposableHQ/composio</a>",
- "v0.7.19",
- 2,
- "MIT",
- 1200,
- "2024-06-10",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/ComposableHQ_composio_v0.7.19.html" target="_blank">View Report</a>",
- 4,
- 2,
- 2,
- 1,
- 1,
- [
- "Python"
- "Active"
- [
- "browserbase_stagehand_v2.3.1",
- "Agent Framework",
- "⭕",
- "Python",
- "Agent Framework",
- "<a href="https://github.com/browserbase/stagehand" target="_blank">browserbase/stagehand</a>",
- "v2.3.1",
- 2,
- "Apache-2.0 with Commons Clause",
- 12800,
- "2024-06-11",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/browserbase_stagehand_v2.3.1.html" target="_blank">View Report</a>",
- 3,
- 2,
- 3,
- 1,
- 1,
- [
- "Python"
- "Active"
- [
- "huggingface_text-generation-inference_v3.3.4",
- "LLM Inference",
- "🟦",
- "Rust/Python",
- "LLM Inference",
- "<a href="https://github.com/huggingface/text-generation-inference" target="_blank">huggingface/text-generation-inference</a>",
- "v3.3.4",
- 1.8,
- "Apache-2.0",
- 10200,
- "2024-06-16",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/huggingface_text-generation-inference_v3.3.4.html" target="_blank">View Report</a>",
- 3,
- 2,
- 2,
- 1,
- 1,
- [
- "Rust",
- "Python"
- "Active"
- [
- "langchain-ai_langgraph_v2.1.0",
- "Agent Framework",
- "⭕",
- "Python",
- "Agent Framework",
- "<a href="https://github.com/langchain-ai/langgraph" target="_blank">langchain-ai/langgraph</a>",
- "v2.1.0",
- 1.6,
- "Proprietary",
- 14700,
- "2024-06-13",
- true,
- true,
- "<a href="https://981526092.github.io/LibVulnWatch/langchain-ai_langgraph_v2.1.0.html" target="_blank">View Report</a>",
- 1,
- 1,
- 4,
- 1,
- 1,
- [
- "Python"
- "Active"
- [
- "metadata": null
Methodology at a Glance
LibVulnWatch orchestrates a graph of specialised agents powered by large language models. Each agent contributes one evidence layer and writes structured findings to a shared memory:
1️⃣ Static agents – licence parsing, secret scanning, call-graph reachability
2️⃣ Dynamic agents – fuzzing harnesses, dependency-confusion probes, CVE replay
3️⃣ Metadata agents – GitHub mining, release-cadence modelling, community health
4️⃣ Policy agents – mapping evidence to NIST SSDF, EU AI Act, and related frameworks
The aggregator agent converts raw findings into 0–10 scores per domain, producing a reproducible JSON result that is 88 % compatible with OpenSSF Scorecard checks. All artefacts (SBOMs, logs, annotated evidence) are archived and linked in the public report.
Before submitting a library for assessment
1) Ensure your library is publicly accessible
LibVulnWatch can only assess libraries that are publicly available on GitHub or another accessible repository.
2) Verify complete metadata is available
Our assessment relies on metadata including:
- License information
- Dependency specifications
- Maintenance history and contributor information
- Security policies and vulnerability handling processes
3) Make sure your repository has an open license
This leaderboard is designed for open-source AI libraries, which should have clear licensing terms.
4) Add security documentation
Libraries with comprehensive security documentation tend to receive better assessments.
If your assessment fails
If your library shows as "FAILED" in the assessment queue, check that:
- The repository is publicly accessible
- All required metadata files are present
- Dependencies can be resolved
- The repository doesn't employ obfuscation techniques that interfere with analysis
library | version | language | framework | library_type | status |
|---|---|---|---|---|---|
langchain-ai/langchain | Python | FINISHED |
library | version | language | framework | library_type | status |
|---|---|---|---|---|---|
library | version | language | framework | library_type | status |
|---|---|---|---|---|---|