YggdrasilRightNow-AI/openfang
↗ GitHubOpen-source Agent Operating System
16,082
Stars
1,998
Forks
123
Watchers
115
Open Issues
Safety Rating A
The repository appears to be a legitimate, well-structured open-source Rust project. No hardcoded secrets, malicious code patterns, or prompt injection attempts were detected in the provided content. The README is detailed and technically credible, describing a complex multi-crate Rust workspace with extensive test coverage and a documented security model. The install-via-curl pattern (curl | sh) is a common but inherently trust-dependent distribution method that users should be aware of. No dependency manifests were available for scanning, which is the only minor gap. Overall, the project presents no red flags and appears to be a legitimate open-source effort.
ℹAI-assisted review, not a professional security audit.
AI Analysis
OpenFang is an open-source Agent Operating System (Agent OS) built in Rust, designed to run autonomous AI agents that operate on schedules and workflows without requiring continuous user prompting. It compiles to a single ~32MB binary and provides 7 pre-built autonomous capability packages called 'Hands' (covering research, lead generation, OSINT, social media management, web automation, content clipping, and forecasting), 40 channel adapters, 27 LLM provider integrations, a WASM sandbox, 16 declared security layers, a Tauri 2.0 desktop app, and an OpenAI-compatible REST API. The project is pre-1.0 (v0.3.30) and is maintained by RightNow AI.
Use Cases
- Running autonomous AI agents on schedules for tasks like competitor research, lead generation, and social media management
- Deploying a self-hosted agent platform with an OpenAI-compatible API as a drop-in replacement for hosted LLM services
- Integrating AI agents into 40+ messaging platforms including Telegram, Discord, WhatsApp, and Slack
- Automating web workflows including form filling, navigation, and multi-step browser interactions
- Building and publishing custom agent capability packages ('Hands') to a marketplace (FangHub)
- Migrating existing agent setups from frameworks like OpenClaw, LangChain, or AutoGPT
Tags
Security Findings (3)
The README documents a built-in 'Prompt Injection Scanner' (Security System #12) that detects override attempts and data exfiltration patterns. While this is a defensive feature description, the phrasing and detail about injection patterns is benign documentation, not an injection attempt itself. No actual prompt injection attempt was detected in the README content.
No hardcoded secrets, API keys, tokens, or private keys were identified in the provided repository content (README and metadata only). The README references environment variables for configuration (e.g., WHATSAPP_WEB_GATEWAY_URL, OPENFANG_URL) which is appropriate practice.
No dependency manifest files (Cargo.toml, package.json) were included in the provided content, so a static dependency vulnerability scan could not be performed. The WhatsApp gateway component requires Node.js >= 18 and npm packages, which warrant review of the package.json when available.