Audit Reveals 93% of AI Agent Frameworks Rely on Unscoped API Keys

We audited authorization in 30 AI agent frameworks — 93% rely on unscoped API keys. The audit examined popular AI agent projects (e.g., OpenClaw, AutoGen, CrewAI, LangGraph) and found that 93% use unscoped API keys as their sole authentication method. None of the frameworks implement per-agent cryptographic identity, and all lack per-agent revocation, requiring full key rotation if one agent is compromised. In multi-agent systems, child agents inherit full parent credentials without scope restrictions. The report also linked findings to OWASP Agentic Top 10 risks and cited real incidents, including exposed credentials and unauthenticated servers.