Study: 38.9% of AI-Generated Pull Requests Contain Security Smells
Jul 15, 2026
A large-scale empirical study of 4,022 pull requests from the AIDev dataset found that 38.9% of agent-generated PRs contain at least one security smell, with supply chain integrity issues accounting for 82.3% of all detected smells. Hard-coded credentials made up 99.6% of critical-severity issues, and 81.1% of these credentials went undetected before integration. The study also found that human collaborators introduced 67.6% of genuine leaked secrets in agent-assisted workflows.
Why it matters: This research reveals that autonomous coding agents introduce significant security risks that current review processes often fail to catch, highlighting the urgent need for improved security guardrails in human-AI collaboration.
Full story at: arXiv Cryptography and Security ↗