We audited authorization in 30 AI agent frameworks — 93% rely on unscoped API keys

Published a research report auditing how popular AI agent projects (OpenClaw, AutoGen, CrewAI, LangGraph, MetaGPT, AutoGPT, etc.) handle authorization. Key findings: – 93% use unscoped API keys as the only auth mechanism – 0% have per-agent cryptographic identity – 100% have no per-agent revocation — one agent misbehaves, rotate the key for all – In multi-agent systems, child agents inherit full parent credentials with no scope narrowing Mapped findings to OWASP Agentic Top 10 (ASI01 Agent Goal Hijacking, ASI03 Identity & Privilege Abuse, ASI05 Privilege Escalation, ASI10 Rogue Agents). Real incidents included: 21k exposed OpenClaw instances leaking credentials, 492 MCP servers with zero auth, 1.5M API tokens exposed in Moltbook breach. Full report: https://grantex.dev/report/state-of-agent-security-2026 submitted by /u/MousseSad4993 [link] [comments]Technical Information Security Content & DiscussionRead More