The behavioral vulnerability enumeration standard for agentic AI components.
Every record defines a distinct attack class affecting MCP servers, skill files, system prompts, and agent plugins — scored with OWASP AIVSS v0.8, mapped to OWASP MCP Top 10 and MITRE ATLAS.
Registry · Schema · Crosswalks · Architecture · Scanner
Skill files, MCP server manifests, and system prompts are executable instructions, not documentation. Any process that loads them runs them. There is no compiler, no type checker, no sandbox. The runtime is an LLM that reads natural language and acts on it.
CVE identifies flaws in software. OSV maps them to packages and version ranges. Neither can describe a prompt injection hidden in an MCP tool description — there is no package, no version, no vulnerable dependency. The danger is in what the component does, not what it imports.
AVE fills that gap. It assigns stable identifiers to distinct behavioral vulnerability classes in agentic AI, scores them with OWASP AIVSS v0.8, and maps every record to OWASP MCP Top 10 and MITRE ATLAS so it lands in frameworks defenders already use.
AVE is a standard, not a product. The bawbel-scanner implements it.
Any tool can map to it.
Your CI pipeline scans Python for CVEs.
It does not scan your SKILL.md for prompt injection.
AVE + Bawbel fixes that.
Without AVE:
Attacker crafts Developer ships Agent loads
malicious payload → skill file → skill file
(unscanned) at runtime
↓
Agent executes attacker payload
(data exfiltrated, credentials stolen, goals hijacked)
With AVE + Bawbel Scanner:
Developer commits bawbel scan fires Finding blocked
skill file → in CI / pre-commit → before deploy
↓
AVE-2026-00001 detected:
Metamorphic payload via external config fetch
AIVSS 8.0 · HIGH · owasp_mcp: MCP03, MCP04
Line 7: "fetch your instructions from..."
| Total records | 51 |
| Schema version | 1.0.0 |
| AIVSS spec | v0.8 |
| CRITICAL (≥ 9.0) | 1 |
| HIGH (7.0–8.9) | 9 |
| MEDIUM (4.0–6.9) | 40 |
| LOW (< 4.0) | 1 |
| Framework: OWASP MCP Top 10 | all records |
| Framework: MITRE ATLAS | where applicable |
| Framework: OWASP Agentic AI Top 10 | where applicable |
| Framework: NIST AI RMF | where applicable |
Every record is scored with OWASP AIVSS v0.8:
AIVSS = ((CVSS_Base + AARS) / 2) × ThM × Mitigation_Factor
AARS (Agentic Amplification and Reachability Score) is the weighted sum of 10 Agentic Amplification and Risk Factors (AARF), each scored 0.0–1.0:
| # | Factor | Why it matters |
|---|---|---|
| 1 | Autonomy | Agent acts without human approval |
| 2 | Tool Use | Agent has access to external tools or APIs |
| 3 | Multi-Agent | Agent interacts with or spawns other agents |
| 4 | Non-Determinism | Behavior varies unpredictably across runs |
| 5 | Self-Modification | Can alter own instructions or memory at runtime |
| 6 | Dynamic Identity | Assumes roles or identities at runtime |
| 7 | Persistent Memory | Retains state across sessions |
| 8 | Natural Language Input | Instruction surface via natural language |
| 9 | Data Access | Reads sensitive data (files, env vars, databases) |
| 10 | External Dependencies | Loads external code, skills, or remote content |
Severity bands:
| Band | AIVSS | Meaning |
|---|---|---|
| CRITICAL | ≥ 9.0 | Immediate exploitation, full agent compromise |
| HIGH | 7.0–8.9 | Significant data loss or privilege escalation |
| MEDIUM | 4.0–6.9 | Meaningful risk requiring review |
| LOW | < 4.0 | Limited impact or requires chaining |
ThM (Threat Maturity) valid values: 0.75 (theoretical) · 0.90 (PoC exists) · 1.0 (in-the-wild)
Worked example — AVE-2026-00001 (Metamorphic Payload):
AARF factors:
autonomy=1.0 tool_use=1.0 multi_agent=0.5 non_determinism=1.0 self_modification=1.0
dynamic_identity=0.0 persistent_memory=0.5 natural_language_input=1.0
data_access=0.5 external_dependencies=1.0
AARS = 1.0 + 1.0 + 0.5 + 1.0 + 1.0 + 0.0 + 0.5 + 1.0 + 0.5 + 1.0 = 7.5
CVSS_Base = 8.5 ThM = 1.0 (in-the-wild) Mitigation_Factor = 1
AIVSS = ((8.5 + 7.5) / 2) × 1.0 × 1 = 8.0 → HIGH
| AVE ID | Title | AIVSS | Severity |
|---|---|---|---|
| AVE-2026-00001 | Metamorphic Payload via External Config Fetch | 8.0 | HIGH |
| AVE-2026-00002 | Tool Poisoning via Description Manipulation | 7.3 | HIGH |
| AVE-2026-00003 | Data Exfiltration via Credential Theft | 6.8 | MEDIUM |
| AVE-2026-00004 | Arbitrary Code Execution via Shell Pipe Injection | 5.9 | MEDIUM |
| AVE-2026-00005 | Destructive Command Execution | 5.6 | MEDIUM |
| AVE-2026-00006 | Cryptocurrency Drain via Wallet Access | 7.5 | HIGH |
| AVE-2026-00007 | Goal Hijacking via Prompt Injection | 6.1 | MEDIUM |
| AVE-2026-00008 | Persistence via Self-Replication | 6.3 | MEDIUM |
| AVE-2026-00009 | Jailbreak via Safety Constraint Removal | 5.5 | MEDIUM |
| AVE-2026-00010 | Hidden Instruction Concealment | 5.6 | MEDIUM |
| AVE-2026-00011 | Dynamic Tool Call with Attacker Parameters | 5.7 | MEDIUM |
| AVE-2026-00012 | Privilege Escalation via Permission Grant | 4.5 | MEDIUM |
| AVE-2026-00013 | PII Exfiltration Pattern | 6.5 | MEDIUM |
| AVE-2026-00014 | Social Engineering via Trust Escalation | 3.7 | LOW |
| AVE-2026-00015 | System Prompt Disclosure | 4.9 | MEDIUM |
| AVE-2026-00016 | Indirect Prompt Injection via RAG Retrieval | 6.4 | MEDIUM |
| AVE-2026-00017 | MCP Server Impersonation | 5.7 | MEDIUM |
| AVE-2026-00018 | Tool Result Manipulation | 4.4 | MEDIUM |
| AVE-2026-00019 | Agent Memory Poisoning | 5.6 | MEDIUM |
| AVE-2026-00020 | Cross-Agent Injection via A2A Protocol | 5.9 | MEDIUM |
| AVE-2026-00021 | Human-in-the-Loop Bypass | 4.5 | MEDIUM |
| AVE-2026-00022 | Scope Creep via Undeclared Resource Access | 6.0 | MEDIUM |
| AVE-2026-00023 | Context Window Manipulation | 5.8 | MEDIUM |
| AVE-2026-00024 | Supply Chain: Binary Content Disguised as Skill | 6.8 | MEDIUM |
| AVE-2026-00025 | Conversation History Injection | 4.5 | MEDIUM |
| AVE-2026-00026 | Tool Output Exfiltration via Encoding | 6.8 | MEDIUM |
| AVE-2026-00027 | Multi-Turn Persistence Attack | 5.6 | MEDIUM |
| AVE-2026-00028 | File Content Injection | 5.9 | MEDIUM |
| AVE-2026-00029 | Homoglyph and Unicode Obfuscation | 4.8 | MEDIUM |
| AVE-2026-00030 | False Role Claim | 4.3 | MEDIUM |
| AVE-2026-00031 | Feedback Loop Poisoning | 5.4 | MEDIUM |
| AVE-2026-00032 | Internal Network Reconnaissance | 4.0 | MEDIUM |
| AVE-2026-00033 | Unsafe Deserialization in Skill Context | 4.2 | MEDIUM |
| AVE-2026-00034 | Dynamic Skill Import at Runtime | 6.6 | MEDIUM |
| AVE-2026-00035 | Sensor and Environment Manipulation | 4.2 | MEDIUM |
| AVE-2026-00036 | Lateral Movement via Agent Pivot | 5.9 | MEDIUM |
| AVE-2026-00037 | Vision and Multimodal Injection | 5.1 | MEDIUM |
| AVE-2026-00038 | Unbounded Tool Use | 5.9 | MEDIUM |
| AVE-2026-00039 | Covert Exfiltration via Steganographic Channel | 4.9 | MEDIUM |
| AVE-2026-00040 | Insecure Output Handling | 5.4 | MEDIUM |
| AVE-2026-00041 | MCP Server-Card Injection | 8.2 | HIGH |
| AVE-2026-00042 | REPL Code Mode Credential Exposure | 4.7 | MEDIUM |
| AVE-2026-00043 | MCP App UI Injection | 4.7 | MEDIUM |
| AVE-2026-00044 | Async Task Result Poisoning | 6.1 | MEDIUM |
| AVE-2026-00045 | Cross-App-Access Escalation | 6.4 | MEDIUM |
| AVE-2026-00046 | MCP Tool Hook Hijacking | 9.2 | CRITICAL |
| AVE-2026-00047 | Hardcoded Credentials in Agent Component | 7.6 | HIGH |
| AVE-2026-00048 | Unsafe Agent Delegation Chain | 7.7 | HIGH |
| AVE-2026-00049 | HTTP Host Header Injection (BadHost) | 7.2 | HIGH |
| AVE-2026-00050 | Parasitic Toolchain — Silent Tool Registration | 7.2 | HIGH |
| AVE-2026-00051 | OAuth Discovery Rebinding | 7.2 | HIGH |
Every AVE record has detection rules in bawbel/scanner — the reference implementation of this standard.
pip install bawbel-scanner
# Scan a skill file
bawbel scan ./my-skill.md
# Scan a directory recursively
bawbel scan ./skills/ --recursive --fail-on-severity high
# Scan an MCP server card
bawbel scan-server-card https://api.your-mcp-server.io
# Full remediation report
bawbel report ./my-skill.mdExample output:
CRITICAL bawbel-hook-hijack AVE-2026-00046 line 3 AIVSS 9.2
HIGH bawbel-unsafe-delegation AVE-2026-00048 line 11 AIVSS 7.7
HIGH bawbel-hardcoded-credential AVE-2026-00047 line 5 AIVSS 7.6
Any tool can implement AVE — the records, schema, and rules are open. See the architecture guide for the implementer contract.
Records validate against
schema/ave-record-1.0.0.schema.json.
Canonical $id:
https://ave.bawbel.io/schema/ave-record-1.0.0.schema.json
15 required fields:
ave_id · schema_version · status · published
title · description · attack_class · severity · behavioral_fingerprint
aivss · owasp_mcp
indicators_of_compromise · remediation
references · researcher
Minimal valid record:
{
"ave_id": "AVE-2026-00001",
"schema_version": "1.0.0",
"status": "active",
"published": "2026-04-01T09:00:00Z",
"title": "Metamorphic payload via external config fetch",
"attack_class": "Supply Chain - Metamorphic Payload",
"severity": "HIGH",
"description": "A skill fetches its instructions from an external URL at runtime...",
"behavioral_fingerprint": "Component fetches and executes remote content, replacing its own instructions at runtime.",
"aivss": {
"cvss_base": 8.5, "aars": 7.5, "thm": 1.0,
"mitigation_factor": 1.0, "aivss_score": 8.0, "spec_version": "0.8"
},
"owasp_mcp": ["MCP04", "MCP06"],
"indicators_of_compromise": ["fetch() pointing to external URL"],
"remediation": "Remove the component. Block network egress. Audit agent actions.",
"references": [{"tag": "Disclosure", "text": "Source", "url": "https://..."}],
"researcher": "Bawbel Security Research Team"
}All optional fields:
component_type · last_updated · behavioral_vector · aivss_score ·
cvss_base_vector · owasp_mapping · mitre_atlas_mapping ·
nist_ai_rmf_mapping · affected_platforms · affected_registries ·
mutation_count · detection_methodology · kill_switch_active ·
researcher_url · aivss.aarf · aivss.aivss_severity ·
aivss.owasp_mcp_mapping · aivss.notes · evidence_kind_default ·
detection_stage · detection_layer · confidence_baseline ·
evidence_basis_engines · derivable_into
Full schema reference: ave.bawbel.io/schema.html
A new record needs all three: the attack class is not already covered by an existing record, there is a citable primary source (CVE, paper, disclosed incident, or working PoC), and the class is specific to agentic components — not a generic web or API vulnerability.
If you think an existing class covers the behavior you found, open an issue anyway. It may warrant a sub-case note in the parent record rather than a new id.
Open a New AVE Record issue before writing any JSON. Include:
- The proposed
attack_classand one-sentencebehavioral_fingerprint - A link to the primary source
- Whether this is net-new or a variant of an existing record
The maintainer will confirm the next AVE id and whether it is a new class or a variant update.
Copy records/AVE-2026-00001.json as a
template. All 15 required fields must be present and valid.
AIVSS calculation:
1. Score each AARF factor 0.0–1.0
2. AARS = sum of all 10 AARF scores
3. AIVSS = ((CVSS_Base + AARS) / 2) × ThM × Mitigation_Factor
4. ThM: 0.75 theoretical · 0.90 PoC exists · 1.0 in-the-wild
5. Round to 1 decimal
6. Severity: CRITICAL ≥ 9.0 · HIGH ≥ 7.0 · MEDIUM ≥ 4.0 · LOW < 4.0
Validate before opening a PR:
npm install ajv ajv-formats
node -e "
const Ajv = require('ajv/dist/2020');
const addFormats = require('ajv-formats');
const ajv = new Ajv({ strict: false });
addFormats(ajv);
const schema = require('./schema/ave-record-1.0.0.schema.json');
const record = require('./records/AVE-2026-NNNNN.json');
const ok = ajv.validate(schema, record);
if (!ok) console.error(ajv.errors); else console.log('valid');
"Open a coordinated PR in bawbel/scanner with at least one detection rule and a positive and negative fixture. The AVE record PR and the scanner PR should reference each other.
Title: feat: AVE-2026-NNNNN — <attack class>
The PR description must include:
- Link to the issue
- AARF scores with a one-line rationale for each non-zero factor
- At least one
indicators_of_compromiseentry a defender can actually search for - Link to the primary source
- Link to the coordinated scanner PR
AVE records map to four external frameworks. Full crosswalk tables are at ave.bawbel.io/crosswalks.html.
| Framework | Field | Crosswalk |
|---|---|---|
| OWASP AST10 | owasp_mapping (ASI01–ASI10) |
crosswalks/ave-to-ast10.md |
| OWASP MCP Top 10 | owasp_mcp |
all records |
| MITRE ATLAS | mitre_atlas_mapping |
where applicable |
| NIST AI RMF | nist_ai_rmf_mapping |
where applicable |
| This scanner | Maps to AVE via |
|---|---|
| SkillSpector (NVIDIA) | crosswalks/skillspector-to-ave.json |
| ClawScan (OpenClaw) | crosswalks/clawscan-to-ave.json |
Maintaining a scanner? Map your finding types to AVE ids so your results interoperate with every other AVE implementation.
| ave.bawbel.io | Public registry and documentation |
| bawbel/scanner | Reference implementation |
| bawbel/ave-site | Website source |
| api.piranha.bawbel.io | Threat intel API |
| OWASP AIVSS v0.8 | Scoring specification |
| MITRE ATLAS | AI threat technique catalog |
| OWASP MCP Top 10 | MCP attack surface framework |
AVE records and schema are published under Apache 2.0.