Maintainers say the flood is mostly noise. NanoClaw, a secure agent framework, and JFrog, a vendor of package registry and supply chain software, are testing two early responses: an "agent factory" for triaging agent written PRs, and routing the packages those agents pull…
Open source maintainers used to worry about the volume of incoming pull requests. They are now worrying about who, or what, is writing them. The arrival of coding agents that can autonomously point themselves at a repository and open a contribution has produced a deluge of low-quality and, in many cases, reputational PRs, and it has become "very difficult as a maintainer" to tell the worthwhile ones from the rest, according to Gavriel Cohen, creator of NanoClaw, a secure agent framework, and co-founder of NanoCo AI.
That is the entry point for a pair of announcements Cohen made Thursday evening in San Francisco at a JFrog event. The first is a partnership that routes the packages AI agents fetch from the internet through JFrog's reviewed registries, a substitution for per-package human approval. The second is what Cohen calls an "agent factory": a pipeline of agents whose job is to read the AI-written pull requests now crowding maintainer inboxes, score them, and route the ones worth a human's attention. Together they sketch an early version of the trust layer that has to exist for agents to be both consumers and contributors in open source.
The supply-side move is the NanoClaw and JFrog integration itself. Claw-style agents, the family that includes NanoClaw and the broader OpenClaw project, can improve themselves on the fly by fetching tools and resources they do not already have. That capability is useful, but it opens an obvious attack surface: an agent that can pull a package from the public npm registry can be steered toward a malicious one. Even when the agent runs inside a hardened sandbox, the threat model does not go away; a container can still take harmful actions once it executes, and the developer friction is real, since developers do not always have the time to vet a package they have never seen.
Manual approval used to be the workaround, and it is still fine for known local data. For npm-scale fetching, it does not survive the workload. A developer cannot meaningfully review every transitive dependency an autonomous agent might request, and the JFrog partnership is, in effect, a substitution: instead of asking a human to bless each package, NanoClaw routes agent fetches through JFrog's reviewed registries, trading per-package approval for registry-level reputation. The "vetted" label is a trust claim, and Cohen is the first to acknowledge that it has to be earned.
The harder problem is on the other side of the loop. The same wave of AI capability that lets agents open pull requests has produced a flood of low-quality and, in Cohen's telling, reputational contributions: PRs opened by agents as a way to plant a backlink, attach a model's name to a popular repository, or simply demonstrate activity. "There's a lot of low-quality PRs, and there's a lot of reputational PRs," Cohen said of the maintainer inbox that no longer resembles a queue of feature submissions. The "agent factory" he described on Thursday, his term for a pipeline of agents that read incoming agent-written pull requests, score them, and route the ones worth a human's attention while filtering the rest, is his first attempt to push back on that flood.
That framing matters because it reframes the AI-PR problem as a structural condition rather than a temporary spike. Agents are not going to stop writing pull requests; the cost of pointing a coding model at a repository and asking it to open a PR is now effectively zero. The bottleneck has moved from generation to review, and the people stuck at that bottleneck are the same maintainers who were already overtaxed. Cohen's agent factory is one response, and it is also a recognition that the next layer of norms and tooling for open source will be built by the same community that needs it, and that the first drafts of those norms are going to be imperfect.
What to watch is whether "vetted registry" becomes a contractually meaningful term with audit trails behind it or settles into another marketing claim, and whether the maintainers drowning in PRs today get a seat at the table as those decisions are made. The first drafts of those norms are now in public view, and they will be tested quickly.