The whole world is talking about AI, and developers are no exception. When a developer hears about a tool that can help them handle git pull requests using AI, it is likely that they will start using it for their open source project. This is precisely what's happening with Qodo Merge (formerly PR-Agent), an open source tool that can help review and handle git pull requests by using AI to provide feedback and suggestions to developers. It is getting adopted by more and more open source projects, including popular ones. It is so easy to add new features by relying on external tools, yet the consequences on security can be catastrophic. Indeed, if the tool contains security vulnerabilities, the project using it may become vulnerable too and may grant anyone permissions to perform unexpected actions without realizing it. But everyone wants to use AI so security may be overlooked.