Go to ACL 2025 SRW homepageLibVulnWatch: A Deep Assessment Agent System and Leaderboard for Uncovering Hidden Vulnerabilities in Open-Source AI Libraries
Keywords: Technical AI Governance, Open-source AI Security, Vulnerability Assessment, Governance Operationalization, Ecosystem Monitoring, Verification Systems, Public Accountability
TL;DR: LibVulnWatch: AI agents assess 5 risk domains in open-source AI libraries, finding novel vulnerabilities missed by static tools. A public leaderboard reveals systemic dependency/regulatory gaps, aiding AI supply chain security.
Abstract: Open-source AI libraries are foundational to modern AI systems, yet they present significant, underexamined risks spanning security, licensing, maintenance, supply chain integrity, and regulatory compliance. We introduce LibVulnWatch, a system that leverages recent advances in large language models and agentic workflows to perform deep, evidence-based evaluations of these libraries. Built on a graph-based orchestration of specialized agents, the framework extracts, verifies, and quantifies risk using information from repositories, documentation, and vulnerability databases. LibVulnWatch produces reproducible, governance-aligned scores across five critical domains, publishing results to a public leaderboard for ongoing ecosystem monitoring. Applied to 20 widely used libraries—including ML frameworks, LLM inference engines, and agent orchestration tools—our approach covers up to 88\% of OpenSSF Scorecard checks while surfacing up to 19 additional risks per library, such as critical RCE vulnerabilities, missing SBOMs, and regulatory gaps. By integrating advanced language technologies with the practical demands of software risk assessment, this work demonstrates a scalable, transparent mechanism for continuous supply chain evaluation and informed library selection.
Archival Status: Non‑archival
Paper Length: Long Paper (up to 8 pages of content)
Submission Number: 140
Loading