OverviewWhy AttestdQuickstartResponse FieldsAPI ReferenceSDK Reference↳ Python↳ JavaScriptAccount & PortalAI Agent IntegrationCI/CD IntegrationIntegrations↳ MCP Server↳ LangChain↳ LangChain (JS)↳ AutoGenProductsSupply chainFAQ
supply chain / crewai

CrewAI

registryPyPI
package namecrewai
maintainerCrewAI Inc

CrewAI is a Python framework for orchestrating role-based multi-agent systems, where each agent has a defined role, goal, and backstory. Agents collaborate on tasks using shared tools and can delegate to each other. It is widely used for automating research, analysis, and content generation pipelines.

api usage

Checking CrewAI

crewai 0.80.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash
curl "https://api.attestd.io/v1/check?product=crewai&version=0.80.0" \
  -H "Authorization: Bearer YOUR_API_KEY"
json
{
  "product": "crewai",
  "version": "0.80.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}
attack surface

Why this package is monitored

Role-based agent frameworks assign tools with broad capabilities (web search, code execution, file access) to individual agents. A compromised orchestrator can misuse these tool grants outside the intended task scope during any agent run.

Attestd monitors crewai using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

related
Supply chain overviewAll PyPI packagesLangChainOpenAI SDK (Python)Anthropic SDK (Python)Response fields