Published a research report auditing how popular AI agent projects (OpenClaw, AutoGen, CrewAI, LangGraph, MetaGPT, AutoGPT, etc.) handle authorization.

Key findings:

- 93% use unscoped API keys as the only auth mechanism

- 0% have per-agent cryptographic identity

- 100% have no per-agent revocation — one agent misbehaves, rotate the key for all

- In multi-agent systems, child agents inherit full parent credentials with no scope narrowing

Mapped findings to OWASP Agentic Top 10 (ASI01 Agent Goal Hijacking, ASI03 Identity & Privilege Abuse, ASI05 Privilege Escalation, ASI10 Rogue Agents).

Real incidents included: 21k exposed OpenClaw instances leaking credentials, 492 MCP servers with zero auth, 1.5M API tokens exposed in Moltbook breach.

Full report: https://grantex.dev/report/state-of-agent-security-2026