LibVulnWatch: A Deep Assessment Agent System and Leaderboard for Uncovering Hidden Vulnerabilities in Open-Source AI Libraries

Zekun Wu; Seonglae Cho; Umar Mohammed; Cristian Enrique Munoz Villalobos; Kleyton Da Costa; Xin Guan; Theo King; Ze Wang; Emre Kazim; Adriano Koshiyama

doi:10.18653/v1/2025.acl-srw.40

LibVulnWatch: A Deep Assessment Agent System and Leaderboard for Uncovering Hidden Vulnerabilities in Open-Source AI Libraries

Zekun Wu, Seonglae Cho, Umar Mohammed, Cristian Enrique Munoz Villalobos, Kleyton Da Costa, Xin Guan, Theo King, Ze Wang, Emre Kazim, Adriano Koshiyama

Abstract

Open-source AI libraries are foundational to modern AI systems, yet they present significant, underexamined risks spanning security, licensing, maintenance, supply chain integrity, and regulatory compliance. We introduce LibVulnWatch, a system that leverages recent advances in large language models and agentic workflows to perform deep, evidence-based evaluations of these libraries. Built on a graph-based orchestration of specialized agents, the framework extracts, verifies, and quantifies risk using information from repositories, documentation, and vulnerability databases. LibVulnWatch produces reproducible, governance-aligned scores across five critical domains, publishing results to a public leaderboard for ongoing ecosystem monitoring. Applied to 20 widely used libraries—including ML frameworks, LLM inference engines, and agent orchestration tools—our approach covers up to 88% of OpenSSF Scorecard checks while surfacing up to 19 additional risks per library, such as critical RCE vulnerabilities, missing SBOMs, and regulatory gaps. By integrating advanced language technologies with the practical demands of software risk assessment, this work demonstrates a scalable, transparent mechanism for continuous supply chain evaluation and informed library selection.

Anthology ID:: 2025.acl-srw.40
Volume:: Proceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 4: Student Research Workshop)
Month:: July
Year:: 2025
Address:: Vienna, Austria
Editors:: Jin Zhao, Mingyang Wang, Zhu Liu
Venues:: ACL | WS
SIG:
Publisher:: Association for Computational Linguistics
Note:
Pages:: 608–656
Language:
URL:: https://aclanthology.org/2025.acl-srw.40/
DOI:: 10.18653/v1/2025.acl-srw.40
Bibkey:
Cite (ACL):: Zekun Wu, Seonglae Cho, Umar Mohammed, Cristian Enrique Munoz Villalobos, Kleyton Da Costa, Xin Guan, Theo King, Ze Wang, Emre Kazim, and Adriano Koshiyama. 2025. LibVulnWatch: A Deep Assessment Agent System and Leaderboard for Uncovering Hidden Vulnerabilities in Open-Source AI Libraries. In Proceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 4: Student Research Workshop), pages 608–656, Vienna, Austria. Association for Computational Linguistics.
Cite (Informal):: LibVulnWatch: A Deep Assessment Agent System and Leaderboard for Uncovering Hidden Vulnerabilities in Open-Source AI Libraries (Wu et al., ACL 2025)
Copy Citation:
PDF:: https://aclanthology.org/2025.acl-srw.40.pdf

PDF Cite Search Fix data