[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-83602-en":3,"doc-seo-83602-105":29,"detail-sidebar-cat-0-en-105":83},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},83602,16904993612988,"Olivia Brown","https://ap-avatar.wpscdn.com/davatar_a8503ba1806abce46bf441b54a3ca4cd",8,"Research & Report","AGENTFLOW: Building Agent Dependency Graphs for Static Analysis of Agent Programs","AGENTFLOW introduces a static analysis framework that recovers and analyzes agent dependencies from LLM agent programs built on agent frameworks. It constructs an Agent Dependency Graph (ADG), a framework-agnostic, typed representation capturing agents, prompts, models, capabilities, memory states, and control policies, along with component, control-flow, and dataflow dependencies. ADGs enable agent governance and security analyses, including Agent BOM generation and prompt-to-tool risk detection, validated across five frameworks on AgentZoo.","AGENTFLOW: Building Agent Dependency Graphs for Static Analysis of Agent Programs  \nShenao Wang†, Xinyi Hou†, Yanjie Zhao†, Xiao Cheng‡, and Haoyu Wang†  \n†Huazhong University of Science and Technology,  \n‡Macquarie University  \n{shenaowang, xinyihou, yanjie zhao, [haoyuwang](haoyuwang}@hust.edu.cn)[}](haoyuwang}@hust.edu.cn)[@hust.edu.cn](haoyuwang}@hust.edu.cn),  \n[jumormt@gmail.com](jumormt@gmail.com)  \narXiv :2607 .0 1640v 1 [ cs . SE] 2 Jul 2026  \nAbstract—LLM agents are increasingly developed as sourcecode applications built on agent frameworks. These agent programs combine conventional host-language code with frameworkdefined semantics for models, prompts, tools, memory, and multiagent orchestration logic. As a result, their behavior depends not only on traditional control and data flows, but also on a new class of agent dependencies. Such dependencies are often expressed as framework-induced semantics, such as agent constructors, tool decorators, and agent handoff declarations, making them difficult to recover with existing static analysis or dependency tracking tools. In this paper, we present AGENTFLOW, the first static analysis framework for recovering and analyzing agent dependencies from agent programs. AGENTFLOW constructs an Agent Dependency Graph (ADG), a framework-agnostic graph representation that represents agents, prompts, models, capabilities, memory states, and control policies as typed nodes, and captures their component-dependency, control-flow, and dataflow dependencies as typed edges. Built on ADGs, AGENTFLOW supports a range of analyses for agent governance and security, including Agent Bill of Materials (BOM) generation and promptto-tool risk detection. We implement AGENTFLOW for five representative agent frameworks and evaluate it on AgentZoo, a corpus of 5,399 real-world agent programs. Our evaluation shows that AGENTFLOW recovers richer agent entities and dependencies than existing AST-based agent static analysis tools, generates more dependency-aware Agent BOMs, and uncovers 238 taint-style prompt-to-tool risks in real-world agent programs. These results show that ADG provides a practical foundation for understanding, governing, and securing emerging agent software.  \nIndex Terms—LLM agents, agent programs, static analysis, agent supply chain, Bill of Materials  \nI. INTRODUCTION  \nLarge language models (LLMs) are increasingly integrated into autonomous agents that plan, invoke tools, access memory, and collaborate with other agents. This introduces anew programming paradigm in which software systems are no longer composed only of deterministic code logics, but also incorporate probabilistic LLM components that determine parts of the execution logic at runtime [1], [2], [3] . Modern agent frameworks such as LangGraph [4], OpenAI Agents [5], and CrewAI [6] allow developers to build such applications by registering tools, specifying prompts, attaching memory, and orchestrating multi-agent workflows through frameworkspecific APIs. In this paper, we focus on source-code appli-  \ncations implemented through such frameworks, and refer to them as agent programs 1  \nAgent programs are framework-defined software built on ordinary host-language code. Beyond conventional program constructs such as functions, objects, classes, calls, assignments, and field accesses, agent frameworks introduce additional semantics through agents, tools, prompts, memory, and orchestration logic. These framework-induced semantics define a new class of agent-specific dependencies that classical dependency abstractions do not directly represent. We call them agent dependencies. Traditional static analysis reasons about dependencies exposed by explicit program constructs, such as control flow [7], [8], data flow [7], call graphs [9],[10], and points-to relations [11],[10], where each dependency edge is derived at a syntactic site in the code. However, an agent dependency is often declared through frameworklevel constructs and span","cbCaiue1h7imu0QH","https://ap.wps.com/l/cbCaiue1h7imu0QH","pdf",1236259,1,12,"English","en",105,"# Introduction\n# Background: Agent Dependencies and Limitations of Classical Analysis\n# Agent Dependency Graph (ADG)\n# Analyses Enabled by ADG (Governance, Security, Taint Risks)\n# Implementation and Evaluation","[{\"question\":\"What kinds of security and governance analyses does ADG support?\",\"answer\":\"ADG enables Agent Bill of Materials (BOM) generation and prompt-to-tool risk detection, including identifying taint-style prompt-to-tool risks in real-world agent programs.\"}]",1784189155,30,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":78,"head_meta":80,"extra_data":82,"updated_unix":27},"agentflow-building-agent-dependency-graphs-for-static-analysis-of-agent-programs","",{"@graph":35,"@context":77},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/agentflow-building-agent-dependency-graphs-for-static-analysis-of-agent-programs/83602/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71],{"name":72,"@type":73,"acceptedAnswer":74},"What kinds of security and governance analyses does ADG support?","Question",{"text":75,"@type":76},"ADG enables Agent Bill of Materials (BOM) generation and prompt-to-tool risk detection, including identifying taint-style prompt-to-tool risks in real-world agent programs.","Answer","https://schema.org",{"og:url":51,"og:type":79,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":81,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":84},[85,89,93,97,102,107,112,114,119,122,126],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":86,"show_sort_weight":87,"slug":88},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":90,"show_sort_weight":91,"slug":92},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Exam",70,"exam",{"id":98,"doc_module":4,"doc_module_name":45,"category_name":99,"show_sort_weight":100,"slug":101},5,"Comic",60,"comic",{"id":103,"doc_module":4,"doc_module_name":45,"category_name":104,"show_sort_weight":105,"slug":106},6,"Technology",50,"technology",{"id":108,"doc_module":4,"doc_module_name":45,"category_name":109,"show_sort_weight":110,"slug":111},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":28,"slug":113},"research-report",{"id":115,"doc_module":4,"doc_module_name":45,"category_name":116,"show_sort_weight":117,"slug":118},9,"Religion & Spirituality",20,"religion-spirituality",{"id":117,"doc_module":4,"doc_module_name":45,"category_name":120,"show_sort_weight":117,"slug":121},"World Cup","world-cup",{"id":123,"doc_module":4,"doc_module_name":45,"category_name":124,"show_sort_weight":123,"slug":125},10,"Lifestyle","lifestyle",{"id":127,"doc_module":4,"doc_module_name":45,"category_name":128,"show_sort_weight":98,"slug":129},19,"General","general"]