AgentGraph — open-source trust verification for AI agents

[kenneives]

Hi AutoGen community! Sharing a project that addresses a growing concern in multi-agent systems: how do you know which agents and tools to trust?

AgentGraph is open-source trust infrastructure for AI agents. Import a GitHub repo and in ~2 minutes you get a security scan, trust score, verified identity, and an embeddable badge.

What you get

• Automated security scan — checks for hardcoded secrets, unsafe execution, data exfiltration, code obfuscation
• Trust score (0-100) — deductions for findings, bonuses for security best practices (auth checks, input validation, rate limiting)
• Verified identity — every agent gets a W3C DID (decentralized identifier) so its identity is cryptographically verifiable, not just a display name
• Trust-scored social graph — see how agents relate to each other, with community endorsements from other developers
• README badge — shows your trust score, updates automatically with each scan:

[\![AgentGraph Trust Score](https://agentgraph.co/api/v1/bots/YOUR_ENTITY_ID/badge.svg?style=compact&theme=dark)](https://agentgraph.co/profile/YOUR_ENTITY_ID)

Why this matters for AutoGen

Multi-agent conversations involve tools calling other tools. When an AutoGen agent uses an MCP server or external tool, there is currently no standard way to verify that tool identity or security posture. You are trusting a display name and hoping for the best.

AgentGraph provides that verification layer — verified identity (DID) + automated security scan + trust score. We already have bridges for multiple agent frameworks and are working toward runtime trust checks (verify before execution).

Try it: agentgraph.co — free scan + badge in ~2 minutes. We are in early access and would genuinely love feedback.

Source code | Scan false-positive docs

[0xbrainkid]

Nice work on the security scanning + W3C DID approach. The automated scan → trust score pipeline is a good developer UX.

Question on the identity model: W3C DIDs give you cryptographic verification, but where does the trust accumulate? If an agent's DID is verified on AgentGraph but it interacts with services that don't use AgentGraph, the trust score isn't portable.

We've been tackling the same problem from a different angle with SATP (Solana Agent Trust Protocol) — putting attestations on-chain so trust scores are verifiable by any system, not just the issuing platform. The trade-off is blockchain overhead vs. portability.

The interesting design space is probably a two-layer model:

• Off-chain (like AgentGraph): fast, detailed scanning, rich metadata
• On-chain (like SATP): portable, tamper-proof, cross-platform verifiable

Have you thought about anchoring DID attestations to a public ledger so other platforms can verify agent trust without querying your API?

Also curious about the scan methodology — how do you handle agents that are API-only (no repo to scan)? That's a large percentage of production agents.

[kenneives]

You're identifying the exact right gap. Right now our trust scores are strongest for agents with scannable repos, and portability is the natural next question.

On the two-layer model — we've been thinking along the same lines. Our current architecture is off-chain first (fast iteration, rich metadata from scanning), but we've been evaluating on-chain anchoring for exactly the reason you describe: a trust score that only lives on one platform isn't really trust infrastructure, it's a feature. We've looked at DSNP-compatible networks and general-purpose chains. SATP is interesting to us because you're solving the attestation portability problem directly — would be worth exploring whether AgentGraph could anchor DID attestations through SATP so any system can verify without hitting our API.

On API-only agents — this is a real gap we're actively working to close. Code scanning is one input, but we're building toward aggregating trust signals from multiple public sources:

• Package registries (npm, PyPI) — download counts, vulnerability history, maintainer tenure
• Container registries (Docker Hub) — pull counts, image scan results
• API reliability monitoring — uptime, response consistency, error rates over time
• Operator reputation — the human or org running the agent has their own trust graph (GitHub contribution history, verified identity, other agents they operate)
• HuggingFace — model ratings, community feedback, download stats
• Dependency graphs — how many other tools/agents depend on this one

For an API-only agent, the trust score becomes a composite of operator reputation + API behavior monitoring + community endorsements + any on-chain attestations. No repo required.

The on-chain piece makes this especially powerful — if those composite scores are anchored publicly, then a CrewAI agent checking whether to trust an MCP server doesn't need to be an AgentGraph user. It just verifies the attestation on-chain.

Would be interested in comparing notes on SATP's attestation schema vs our DID document structure. If there's alignment, an integration could be mutually useful — we bring the scanning + signal aggregation pipeline, SATP brings the portable verification layer. Feel free to DM or open an issue if you want to dig deeper.

[msaleme]

Nice work on the automated scan-to-trust-score pipeline. The W3C DID approach for portable identity is the right foundation.

Two areas where our work might complement this:

1. Active vs static testing. AgentGraph scans repos and generates trust scores from static analysis. We run 332 active adversarial tests over the wire (MCP, A2A, L402, x402). The two together give you both "does the code look safe?" and "what happens when it's attacked?" — different questions with different signal.

2. Attestation interop. We just shipped a structured attestation JSON schema in v3.8. If AgentGraph could consume attestation reports as an input signal to the trust score, you'd have third-party adversarial testing feeding directly into your trust infrastructure. The schema includes scope, severity, and per-test results — designed for exactly this kind of integration.

We also have an MCP server so agents can invoke the harness directly. An AgentGraph agent could call scan_mcp_server on a candidate tool and factor the results into the trust score.

Would be interested to explore attestation-to-trust-score integration if you're open to it.

[kenneives]

Thanks Mike — the active vs static distinction is exactly right. Our security scanner does repo-level static analysis (dependency audits, code pattern checks, secret detection), which answers "does this code look safe?" but not "what happens under adversarial conditions?" Those are complementary signals, not competing ones.

On the attestation side — we're actively building out multi-source trust signal aggregation. Today AgentGraph pulls from GitHub, npm, PyPI, Docker Hub, and HuggingFace to compute a composite trust score. Adding structured adversarial test results as an input signal is a natural next step. The key requirement on our end is a well-defined schema with scope, severity, and per-test granularity — sounds like that's what you've built in v3.8.

The MCP integration path is interesting too. We already have an MCP bridge that supports tool discovery and execution, so an agent invoking scan_mcp_server during the import flow and folding results into the trust score is architecturally straightforward.

Would love to see the attestation schema spec. If you want to try the pipeline from the consumer side, you can import your testing tool into AgentGraph now — we'll automatically discover it across registries and generate an initial trust profile.

Open to exploring this further. The agent ecosystem needs interoperable trust infrastructure, and adversarial testing is a critical input signal.

[kenneives]

@msaleme Thanks for the thoughtful response! You raised a good point about trust scores needing to account for agent composition — a multi-agent system's trust is only as strong as its weakest component.

We've been thinking about this for CrewAI/AutoGen-style workflows specifically. Right now AgentGraph scores individual agents/tools, but the next step is compositional trust — if Agent A delegates to B which calls Tool C, the effective trust should reflect the chain, not just the top-level agent.

Would love your perspective on what signals matter most in the AutoGen context. Is it more about verifying the agent code or the tools it has access to?

You can try it now at agentgraph.co — import any GitHub repo and get a scan + trust score in about 2 minutes.