GitHub Stars Don't Mean Trust: What 4.5M AI Agents Reveal About Security
Category: data analysis ยท Winner: Data Story
| Stars | Count | Avg Trust Score | Trust Gap |
|---|---|---|---|
| 0 | 4,414,095 | 53.4 | baseline |
| 1-99 | 131,805 | 61.2 | +7.8 |
| 100-999 | 8,872 | 65.9 | +12.5 |
| 1K-10K | 2,372 | 71.4 | +18.0 |
| 10K-100K | 666 | 74.3 | +20.9 |
| 100K+ | 16 | 75.7 | +22.3 |
| Stars | Agents in Range | Risk Level |
| 0 | 4.4M | Low (not used in production) |
| 1-99 | 132K | Low (limited adoption) |
| 100-999 | 8,872 | **HIGH** (adopted but under-secured) |
| 1K-10K | 2,372 | **HIGH** (widely adopted, variable security) |
| 10K-100K | 666 | Medium (more scrutiny, but gaps exist) |
| 100K+ | 16 | Lower (established projects) |
Everyone uses GitHub stars as a proxy for quality. More stars = more trusted, right?
We tested this assumption against 4.5 million AI agents. The correlation is real โ but weaker than you'd think.
Stars vs Trust: The Data
| Stars | Count | Avg Trust Score | Trust Gap |
|-------|-------|----------------|-----------|
| 0 | 4,414,095 | 53.4 | baseline |
| 1-99 | 131,805 | 61.2 | +7.8 |
| 100-999 | 8,872 | 65.9 | +12.5 |
| 1K-10K | 2,372 | 71.4 | +18.0 |
| 10K-100K | 666 | 74.3 | +20.9 |
| 100K+ | 16 | 75.7 | +22.3 |
Going from 0 stars to 100K+ stars improves your trust score by only 22.3 points. That's the difference between a D and a C+.
Why Stars Fail as a Trust Signal
Stars measure **popularity**, not **security**. A project can have:
- 50K stars and **no security policy**
- 100K stars and **known unpatched CVEs**
- 10K stars and **an AGPL license** (problematic for enterprise adoption)
- 20K stars and **no commits in 6 months**
We found popular projects (1K+ stars) with:
- Average security score: **0.8/100** (nearly all lack formal security practices)
- Only **0.4%** with updates in the last 30 days
- **57%** with permissive licenses (the rest are unknown, copyleft, or viral)
What Predicts Trust Better Than Stars?
Our data shows these signals matter more:
1. Source Platform
GitHub-sourced agents average **66.8** vs Docker Hub's **52.6** โ a 27% gap. The platform itself is a stronger signal than star count within a platform.2. Active Maintenance
Agents updated in the last 30 days score significantly higher than stale projects, regardless of star count. A 100-star project with weekly commits outscores a 10K-star project that hasn't been touched in a year.3. License Clarity
Having **any** declared license improves trust. MIT and Apache-2.0 licensed projects average higher scores because license declaration correlates with professional development practices.4. Category
Coding tools average **64.0** vs community agents at **42.5**. The category reflects the development culture โ coding tool authors tend to follow better practices.The Counterintuitive Finding
Agents updated in the last 30 days score significantly higher than stale projects, regardless of star count. A 100-star project with weekly commits outscores a 10K-star project that hasn't been touched in a year.
3. License Clarity
Having **any** declared license improves trust. MIT and Apache-2.0 licensed projects average higher scores because license declaration correlates with professional development practices.4. Category
Coding tools average **64.0** vs community agents at **42.5**. The category reflects the development culture โ coding tool authors tend to follow better practices.The Counterintuitive Finding
Coding tools average **64.0** vs community agents at **42.5**. The category reflects the development culture โ coding tool authors tend to follow better practices.
The Counterintuitive Finding
The most dangerous zone isn't zero-star projects (nobody uses those in production). It's the **100-10K star range**. These projects are popular enough to be widely adopted but often lack the security infrastructure of top-tier projects.
| Stars | Agents in Range | Risk Level |
|-------|----------------|------------|
| 0 | 4.4M | Low (not used in production) |
| 1-99 | 132K | Low (limited adoption) |
| 100-999 | 8,872 | **HIGH** (adopted but under-secured) |
| 1K-10K | 2,372 | **HIGH** (widely adopted, variable security) |
| 10K-100K | 666 | Medium (more scrutiny, but gaps exist) |
| 100K+ | 16 | Lower (established projects) |
What Should You Do?
**Don't use stars as your trust signal.** Use a multi-dimensional assessment:
1. Check the trust score: `curl nerq.ai/v1/preflight?target=agent-name`
2. Verify the license is compatible with your use case
3. Check for known vulnerabilities (CVEs)
4. Verify recent maintenance activity
5. Look for a security policy (SECURITY.md)
Stars tell you what's popular. Trust scores tell you what's safe.
Methodology
Analysis based on 4,557,826 scored agents in the Nerq index as of March 13, 2026. Trust scores incorporate 13+ independent signals. Stars data sourced from GitHub API and registry metadata.