nandrzej

nandrzej / vlnr

Public

AI security agent for the Python supply chain: scans packages, generates exploits, and validates them in Docker, autonomously.

agentic-ai ai-agents ai-security cve exploit-development
37
0
100% credibility
Found Apr 23, 2026 at 37 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Python
AI Summary

vlnr is an AI-driven security tool that autonomously discovers, analyzes, exploits, and validates vulnerabilities in popular Python packages.

How It Works

1
🔍 Discover vlnr

You hear about a clever tool that hunts for hidden security weaknesses in popular Python libraries used by millions.

2
💻 Set it up

You download it to your computer and connect a smart AI helper so it can think and decide what to check next.

3
📋 Pick targets

You choose a list of busy, widely-used libraries that might have overlooked dangers.

4
🚀 Launch the hunter

You start the smart agent, and it automatically scans code, spots issues, creates test exploits, and checks them safely in a protected space.

5
📊 Watch it work

The agent thinks step-by-step, filters out false alarms, and focuses on real threats until its thinking budget is spent.

Get your discoveries

You receive clear reports with confirmed weaknesses, proof scripts, and safety notes to share your findings responsibly.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 37 to 37 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is vlnr?

vlnr is a Python-based AI security agent that automates vulnerability hunting in the PyPI supply chain. It discovers high-impact packages via download centrality and OSV gaps, runs static scans with tools like Bandit and Semgrep, triages findings with LLMs, generates PoC exploits, and validates them in isolated Docker containers—all in a budget-aware, resumable agent loop. Users get ranked candidates, structured JSON findings, OpenVEX records, and executable PoCs via simple CLI commands like `poc-find-candidates` or `vlnr agent`.

Why is it gaining traction?

It stands out by closing the loop traditional github security scanning tools like Bandit leave open: agentic decisions cut false positives by 25%, focusing on reachable exploits in CLI, ML, and DevOps libs. Developers hook on the autonomous mode that handles planning, acting, and observing without babysitting, plus tiered LLM routing for cost efficiency—like a security agent claude code or AWS setup but for Python supply chain clarity check.

Who should use this?

Python security researchers auditing popular packages for zero-days, supply chain teams generating github security advisories or policies, and bug bounty hunters targeting under-audited libs. Ideal for those doing clarity act-style ecosystem scans or validating github security md outputs.

Verdict

Promising for authorized research with strong docs, strict typing, and VCR tests, but at 37 stars and 1.0% credibility it's early-stage—prototype quality, not production-ready. Try for PoC validation workflows if you're deep in Python vulns.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.