How to read this: HVTrust (0–100) weighs supply-chain signals (provenance, OSSF Scorecard, signed commits, open license) alongside real-world adoption. Grade D reflects the trust score band: A ≥ 80, B ≥ 65, C ≥ 50, D < 50. Full methodology →
Signals refreshed2026-06-04 20:15 UTC·Repo last pushed 128 days ago
Rank Trend
2026-05-232026-06-04
Activity & Reach
Stars
10.8k
Forks
812
Last Push
2026-01-27
128 days ago
Commits (4 wk)
0
Downloads (7d)
1,174
pypi
HN mentions (30d)
0
Open Issues
50
Rank Change
▼7
was #156
Analysis
HVTrust Dimensions
44.0 / 100 · 100.0% confidence
Safety / IntegrityOSSF, provenance, signatures
4.8 / 25
Identity / ProvenanceListing and build link
10.8 / 18
TransparencyLicense and public checks
11.1 / 17
MaintenanceFreshness and commits
3.5 / 20
AdoptionStars and downloads
13.8 / 20
Activity Inputs
44.9 / 100
StarsRepository reach
24.2 / 30
FreshnessLast push recency
7.2 / 25
ActivityRecent commits
0.0 / 25
CommunityFork signal
13.5 / 20
Supply Chain Trust
Package Provenance
None
No package attestations found
OSSF Scorecard
3.1 / 10
via deps.dev · OpenSSF
Signed Commits
19%
of last 100 commits verified
Binary-Artifacts10
Branch-Protection0
CI-Tests5
CII-Best-Practices0
Code-Review1
Contributors10
Dangerous-Workflow10
Dependency-Update-Tool0
Fuzzing0
License10
Maintained0
Packaging-1
Pinned-Dependencies0
SAST6
Security-Policy0
Signed-Releases-1
Token-Permissions0
Vulnerabilities2
Is UI-TARS safe?
Public trust evidence for UI-TARS is thin: several supply-chain signals are missing or weak. This does not mean the project is unsafe — it means an outside observer cannot easily verify the usual integrity checks. Treat with extra scrutiny.
Does UI-TARS publish package provenance?
No published build provenance is currently detected for UI-TARS. This is common for open-source projects but means consumers cannot independently verify that the package on the registry matches the GitHub source.
Does UI-TARS have an OpenSSF Scorecard?
UI-TARS has an OpenSSF Scorecard score of 3.1/10. The Scorecard checks for branch protection, signed releases, dependency updates, fuzzing, code review, and other supply-chain hygiene items. See the full check breakdown on this page.
Is UI-TARS actively maintained?
Slowing down. Last push was 128 days ago — keep an eye on whether activity resumes.
What license does UI-TARS use?
UI-TARS ships under Apache-2.0. A declared, OSI-approved license is one of the transparency signals HVTrust scores.
Are UI-TARS's commits signed?
19% of the last 100 commits to UI-TARS are verified-signed (GPG, SSH, S/MIME, or GitHub's signing flow). Signed commits help confirm that code was authored by who the commit claims.
Not a safety endorsement. HVTracker describes what public signals show, not whether a project is safe for your use case. Run your own security review before adopting in production.
Runtime trust — coming soon
HVTrust currently scores supply-chain signals. We're adding runtime trust next: what an agent actually does when it runs — what it can reach, which tools it carries, what external services it depends on. Track progress on the roadmap →
MCP support
Tool / plugin surface
External service deps
Package provenance drift
Maintain UI-TARS?
HVTrust scores UI-TARS from public signals only — we never contact maintainers first. If a signal is wrong, stale, or missing (provenance you publish, a Scorecard you run, signed releases), tell us and we'll review it. Corrections are public and tracked on GitHub.
