Search papers, labs, and topics across Lattice.
This paper introduces AgentFlow, a novel static analysis framework designed to recover and analyze agent dependencies in agent programs, which combine traditional code with framework-specific semantics. By constructing an Agent Dependency Graph (ADG), AgentFlow effectively captures complex relationships among agents, prompts, models, and their dependencies, enabling enhanced governance and security analyses. The evaluation on a dataset of 5,399 real-world agent programs demonstrates that AgentFlow outperforms existing tools by identifying richer dependencies and uncovering significant security risks, thereby establishing a robust foundation for managing agent software.
AgentFlow reveals 238 critical prompt-to-tool risks in real-world agent programs, highlighting the hidden complexities of agent dependencies that traditional analysis tools miss.
LLM agents are increasingly developed as source-code applications built on agent frameworks. These agent programs combine conventional host-language code with framework-defined semantics for models, prompts, tools, memory, and multi-agent orchestration logic. As a result, their behavior depends not only on traditional control and data flows, but also on a new class of agent dependencies. Such dependencies are often expressed as framework-induced semantics, such as agent constructors, tool decorators, and agent handoff declarations, making them difficult to recover with existing static analysis or dependency tracking tools. In this paper, we present AgentFlow, the first static analysis framework for recovering and analyzing agent dependencies from agent programs. AgentFlow constructs an Agent Dependency Graph (ADG), a framework-agnostic graph representation that represents agents, prompts, models, capabilities, memory states, and control policies as typed nodes, and captures their component-dependency, control-flow, and data-flow dependencies as typed edges. Built on ADGs, AgentFlow supports a range of analyses for agent governance and security, including Agent Bill of Materials (BOM) generation and prompt-to-tool risk detection. We implement AgentFlow for five representative agent frameworks and evaluate it on AgentZoo, a corpus of 5,399 real-world agent programs. Our evaluation shows that AgentFlow recovers richer agent entities and dependencies than existing AST-based agent static analysis tools, generates more dependency-aware Agent BOMs, and uncovers 238 taint-style prompt-to-tool risks in real-world agent programs. These results show that ADG provides a practical foundation for understanding, governing, and securing emerging agent software.