The field has many scanners and no shared vocabulary — independent studies find different tools barely agree on what they flag. AVE is the neutral reference they can all map to. These crosswalks let findings from any tool resolve to a common AVE id, so results become comparable across the ecosystem.
NVIDIA SkillSpector organizes detection as 16 categories across 64 patterns. Each category maps to one or more AVE behavioral classes. Gaps marked “—” are categories with no distinct AVE class (or scanner-internal mechanics, not a vulnerability class).
| SkillSpector category | AVE id(s) |
|---|---|
| prompt injection | AVE-2026-00002, AVE-2026-00013 |
| data exfiltration | AVE-2026-00026 |
| privilege escalation | AVE-2026-00045 |
| supply chain | AVE-2026-00042 |
| excessive agency | AVE-2026-00011, AVE-2026-00048 |
| output handling | AVE-2026-00026 |
| system prompt leakage | AVE-2026-00013 |
| memory poisoning | AVE-2026-00013 |
| tool misuse | AVE-2026-00045 |
| rogue agent | AVE-2026-00048 |
| trigger abuse | AVE-2026-00001 |
| dangerous code (AST) | AVE-2026-00024 |
| taint tracking | AVE-2026-00050 |
| YARA signatures | — (engine, not a class) |
| MCP least privilege | AVE-2026-00011 |
| MCP tool poisoning | AVE-2026-00002, AVE-2026-00045 |
ClawScan finding types mapped to AVE ids. Source dataset: OpenClaw/clawhub-security-signals.
| ClawScan finding type | AVE id |
|---|---|
| instruction-override | AVE-2026-00002 |
| remote-fetch | AVE-2026-00001 |
| post-install-mutation | AVE-2026-00042 |
| egress-to-unknown-host | AVE-2026-00026 |
| cross-server-call | AVE-2026-00045 |
| header-tamper | AVE-2026-00049 |
| oauth-misconfig | AVE-2026-00051 |
| type-spoof | AVE-2026-00024 |
Every AVE record maps to the frameworks teams already trust. Generated from the record set.
| AVE id | Attack class | OWASP MCP | OWASP Agentic | MITRE ATLAS |
|---|
Maintain a scanner? Map your finding types to AVE →