{"id":"https://openalex.org/W7134046696","doi":"https://doi.org/10.1142/s1793351x26410059","title":"Rising Fast, Prone to Risk: A Comprehensive Study of Security Risks in Open\u2013Source LLM\u2013Powered Applications","display_name":"Rising Fast, Prone to Risk: A Comprehensive Study of Security Risks in Open\u2013Source LLM\u2013Powered Applications","publication_year":2026,"publication_date":"2026-03-01","ids":{"openalex":"https://openalex.org/W7134046696","doi":"https://doi.org/10.1142/s1793351x26410059"},"language":"en","primary_location":{"id":"doi:10.1142/s1793351x26410059","is_oa":false,"landing_page_url":"https://doi.org/10.1142/s1793351x26410059","pdf_url":null,"source":{"id":"https://openalex.org/S4210201727","display_name":"International Journal of Semantic Computing","issn_l":"1793-351X","issn":["1793-351X","1793-7108"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319815","host_organization_name":"World Scientific","host_organization_lineage":["https://openalex.org/P4310319815"],"host_organization_lineage_names":["World Scientific"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"International Journal of Semantic Computing","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5123395124","display_name":"Julia Gomez-Rangel","orcid":null},"institutions":[{"id":"https://openalex.org/I96749437","display_name":"Texas A&M University \u2013 Corpus Christi","ror":"https://ror.org/01mrfdz82","country_code":"US","type":"education","lineage":["https://openalex.org/I96749437"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Julia Gomez-Rangel","raw_affiliation_strings":["Department of Computer Science, Texas A&M University-Corpus Christi, Corpus Christi, Texas, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Computer Science, Texas A&M University-Corpus Christi, Corpus Christi, Texas, USA","institution_ids":["https://openalex.org/I96749437"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128241718","display_name":"Alvaro Vazquez","orcid":null},"institutions":[{"id":"https://openalex.org/I96749437","display_name":"Texas A&M University \u2013 Corpus Christi","ror":"https://ror.org/01mrfdz82","country_code":"US","type":"education","lineage":["https://openalex.org/I96749437"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Alvaro Vazquez","raw_affiliation_strings":["Department of Computer Science, Texas A&M University-Corpus Christi, Corpus Christi, Texas, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Computer Science, Texas A&M University-Corpus Christi, Corpus Christi, Texas, USA","institution_ids":["https://openalex.org/I96749437"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128231377","display_name":"Young Lee","orcid":null},"institutions":[{"id":"https://openalex.org/I1335518801","display_name":"Texas A&M University \u2013 San Antonio","ror":"https://ror.org/0084njv03","country_code":"US","type":"education","lineage":["https://openalex.org/I1335518801"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Young Lee","raw_affiliation_strings":["Department of Computational, Engineering and Mathematical Sciences, Texas A&M University-San Antonio, San Antonio, Texas, USA"],"raw_orcid":"https://orcid.org/0000-0003-3589-3120","affiliations":[{"raw_affiliation_string":"Department of Computational, Engineering and Mathematical Sciences, Texas A&M University-San Antonio, San Antonio, Texas, USA","institution_ids":["https://openalex.org/I1335518801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5019297796","display_name":"Kadir Alpaslan Demir","orcid":"https://orcid.org/0000-0002-8304-6324"},"institutions":[{"id":"https://openalex.org/I96749437","display_name":"Texas A&M University \u2013 Corpus Christi","ror":"https://ror.org/01mrfdz82","country_code":"US","type":"education","lineage":["https://openalex.org/I96749437"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Kadir Alpaslan Demir","raw_affiliation_strings":["Department of Computer Science, Texas A&M University-Corpus Christi, Corpus Christi, Texas, USA"],"raw_orcid":"https://orcid.org/0000-0002-8304-6324","affiliations":[{"raw_affiliation_string":"Department of Computer Science, Texas A&M University-Corpus Christi, Corpus Christi, Texas, USA","institution_ids":["https://openalex.org/I96749437"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5128265096","display_name":"Bozhen Liu","orcid":null},"institutions":[{"id":"https://openalex.org/I96749437","display_name":"Texas A&M University \u2013 Corpus Christi","ror":"https://ror.org/01mrfdz82","country_code":"US","type":"education","lineage":["https://openalex.org/I96749437"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Bozhen Liu","raw_affiliation_strings":["Department of Computer Science, Texas A&M University-Corpus Christi, Corpus Christi, Texas, USA"],"raw_orcid":"https://orcid.org/0000-0003-2137-2375","affiliations":[{"raw_affiliation_string":"Department of Computer Science, Texas A&M University-Corpus Christi, Corpus Christi, Texas, USA","institution_ids":["https://openalex.org/I96749437"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.239615,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"20","issue":"01","first_page":"95","last_page":"134"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.131400004029274,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.131400004029274,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.07840000092983246,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.0706000030040741,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.7372999787330627},{"id":"https://openalex.org/keywords/component","display_name":"Component (thermodynamics)","score":0.5157999992370605},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.4341000020503998},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.43389999866485596},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.4223000109195709},{"id":"https://openalex.org/keywords/taxonomy","display_name":"Taxonomy (biology)","score":0.3995000123977661},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.3822999894618988},{"id":"https://openalex.org/keywords/component-based-software-engineering","display_name":"Component-based software engineering","score":0.362199991941452},{"id":"https://openalex.org/keywords/software-design-pattern","display_name":"Software design pattern","score":0.3619000017642975}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8007000088691711},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.7372999787330627},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.5157999992370605},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.47850000858306885},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4494999945163727},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.4341000020503998},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.43389999866485596},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.4223000109195709},{"id":"https://openalex.org/C58642233","wikidata":"https://www.wikidata.org/wiki/Q8269924","display_name":"Taxonomy (biology)","level":2,"score":0.3995000123977661},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.3822999894618988},{"id":"https://openalex.org/C174683762","wikidata":"https://www.wikidata.org/wiki/Q609588","display_name":"Component-based software engineering","level":4,"score":0.362199991941452},{"id":"https://openalex.org/C146054899","wikidata":"https://www.wikidata.org/wiki/Q181156","display_name":"Software design pattern","level":3,"score":0.3619000017642975},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.35749998688697815},{"id":"https://openalex.org/C72280835","wikidata":"https://www.wikidata.org/wiki/Q635346","display_name":"Architectural pattern","level":5,"score":0.35670000314712524},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.35019999742507935},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.33820000290870667},{"id":"https://openalex.org/C33276779","wikidata":"https://www.wikidata.org/wiki/Q1943363","display_name":"Design elements and principles","level":2,"score":0.33820000290870667},{"id":"https://openalex.org/C2781421246","wikidata":"https://www.wikidata.org/wiki/Q5283148","display_name":"Distributed development","level":4,"score":0.33489999175071716},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.32170000672340393},{"id":"https://openalex.org/C166052673","wikidata":"https://www.wikidata.org/wiki/Q83021","display_name":"Empirical evidence","level":2,"score":0.31869998574256897},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3061999976634979},{"id":"https://openalex.org/C36503486","wikidata":"https://www.wikidata.org/wiki/Q11235244","display_name":"Domain (mathematical analysis)","level":2,"score":0.3059000074863434},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.289900004863739},{"id":"https://openalex.org/C84945661","wikidata":"https://www.wikidata.org/wiki/Q7366567","display_name":"Root cause","level":2,"score":0.2849999964237213},{"id":"https://openalex.org/C2778544944","wikidata":"https://www.wikidata.org/wiki/Q1352349","display_name":"Architectural model","level":3,"score":0.28060001134872437},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.27730000019073486},{"id":"https://openalex.org/C184356942","wikidata":"https://www.wikidata.org/wiki/Q830382","display_name":"Best practice","level":2,"score":0.2687000036239624},{"id":"https://openalex.org/C12725497","wikidata":"https://www.wikidata.org/wiki/Q810247","display_name":"Baseline (sea)","level":2,"score":0.2621999979019165},{"id":"https://openalex.org/C2164484","wikidata":"https://www.wikidata.org/wiki/Q5170150","display_name":"Core (optical fiber)","level":2,"score":0.25540000200271606},{"id":"https://openalex.org/C2776867947","wikidata":"https://www.wikidata.org/wiki/Q500467","display_name":"End-user development","level":3,"score":0.2547000050544739},{"id":"https://openalex.org/C195094911","wikidata":"https://www.wikidata.org/wiki/Q14167904","display_name":"Process management","level":1,"score":0.25060001015663147}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1142/s1793351x26410059","is_oa":false,"landing_page_url":"https://doi.org/10.1142/s1793351x26410059","pdf_url":null,"source":{"id":"https://openalex.org/S4210201727","display_name":"International Journal of Semantic Computing","issn_l":"1793-351X","issn":["1793-351X","1793-7108"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319815","host_organization_name":"World Scientific","host_organization_lineage":["https://openalex.org/P4310319815"],"host_organization_lineage_names":["World Scientific"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"International Journal of Semantic Computing","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Responsible consumption and production","score":0.48922762274742126,"id":"https://metadata.un.org/sdg/12"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":17,"referenced_works":["https://openalex.org/W1969939902","https://openalex.org/W1979290264","https://openalex.org/W2260364782","https://openalex.org/W2922234936","https://openalex.org/W2930652247","https://openalex.org/W4310562987","https://openalex.org/W4384009685","https://openalex.org/W4384026759","https://openalex.org/W4385287322","https://openalex.org/W4392353733","https://openalex.org/W4398766423","https://openalex.org/W4400242312","https://openalex.org/W4400324908","https://openalex.org/W4401544034","https://openalex.org/W4403413494","https://openalex.org/W4406738283","https://openalex.org/W4413349822"],"related_works":[],"abstract_inverted_index":{"The":[0,234],"rapid":[1,31],"rise":[2],"of":[3,18,33,52,76,86,103,141,160,180,188,209,260,266],"large":[4],"language":[5],"models":[6],"(LLMs)":[7],"has":[8],"driven":[9],"their":[10,53,88],"widespread":[11],"adoption,":[12],"especially":[13,49],"as":[14,25,130,132,136,221,223],"the":[15,30,46,84,177,181,193,218,224,263],"core":[16],"component":[17],"open-source":[19,47,79,173,219],"applications,":[20],"which":[21,63],"we":[22,70,256],"refer":[23],"to":[24,246],"LLM-Powered":[26],"Apps":[27],"(LPAs).":[28],"Despite":[29],"growth":[32],"this":[34,68],"ecosystem,":[35],"little":[36],"is":[37],"known":[38],"about":[39],"how":[40,117,210],"these":[41,199],"applications":[42],"are":[43,212],"built":[44,214],"in":[45,50,150,172,217],"world,":[48],"terms":[51],"architectural":[54,104,120],"and":[55,60,91,95,105,115,121,144,168,201,215,227,231,242,250,274,284],"design":[56,89,128,145],"decisions,":[57],"deployment":[58],"strategies,":[59],"security":[61,94,122],"practices,":[62],"remain":[64],"poorly":[65],"understood.":[66],"In":[67],"paper,":[69],"conduct":[71],"a":[72,101,186,206,258,271,275],"comprehensive":[73],"empirical":[74],"study":[75,159,204],"89":[77],"popular":[78,166],"LPAs":[80,167,211],"on":[81,192],"GitHub,":[82],"with":[83],"goal":[85],"characterizing":[87],"choices":[90],"identifying":[92],"common":[93],"safety":[96],"concerns.":[97],"We":[98,154,175],"systematically":[99],"collect":[100],"set":[102,259],"operational":[106],"attributes,":[107],"classify":[108],"each":[109],"LPA":[110],"by":[111,184],"its":[112],"primary":[113],"purpose":[114],"analyze":[116],"functionality":[118],"influences":[119],"design.":[123],"Our":[124],"findings":[125],"reveal":[126],"dominant":[127],"patterns":[129],"well":[131,222],"recurring":[133,225],"risks,":[134],"such":[135],"inadequate":[137],"access":[138],"control,":[139],"lack":[140],"telemetry":[142],"transparency,":[143],"assumptions":[146],"that":[147],"break":[148],"down":[149],"complex":[151],"runtime":[152],"environment.":[153],"also":[155],"conducted":[156],"an":[157],"in-depth":[158],"376":[161],"GitHub":[162,182,276,286],"issues":[163,183,226],"from":[164],"two":[165,169],"LIFs":[170],"developed":[171],"communities.":[174],"summarize":[176],"root":[178],"causes":[179],"creating":[185],"taxonomy":[187],"three":[189],"themes":[190],"based":[191],"software":[194,253],"development":[195],"life-cycle.":[196],"By":[197],"surfacing":[198],"trends":[200],"vulnerabilities,":[202],"our":[203],"provides":[205],"foundational":[207],"understanding":[208],"currently":[213],"deployed":[216],"ecosystem":[220],"pitfalls":[228],"for":[229,239,262,279],"developing":[230],"maintaining":[232],"LPAs.":[233],"results":[235],"offer":[236],"practical":[237],"insights":[238],"developers,":[240],"researchers,":[241],"platform":[243],"maintainers":[244],"seeking":[245],"build":[247],"more":[248],"robust":[249],"secure":[251,264],"LLM-integrated":[252],"systems.":[254],"Furthermore,":[255],"propose":[257],"guideline":[261],"use":[265],"API":[267,289],"keys,":[268],"encapsulated":[269],"within":[270],"pre-commit":[272],"hook":[273],"Action":[277],"workflow":[278],"easy":[280],"integration":[281],"into":[282],"new":[283],"existing":[285],"projects":[287],"using":[288],"keys.":[290]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-03-07T00:00:00"}