Tools: We Built the CVE Database for AI Agents and Here's What We Found Scanning 100 MCP Servers - 2025 Update
The problem nobody is talking about
The AVE Standard, CVE for agentic AI
Compliance and Standards
What we found scanning 100 MCP servers
The scanner: 6 detection engines
The false positive problem
VS Code integration
CI/CD in one step
What's next
Try it TLDR: We scanned the top 100 MCP servers on Smithery and found prompt injection, external fetch patterns, and tool description poisoning in a significant number of them. We built an open-source scanner and vulnerability standard to catch these which is bawbel-scanner v1.0.1 ships today. The security industry has spent 30 years building tools to scan code. We have Snyk for dependencies, Semgrep for code patterns, Trivy for containers. The pipeline is well-defended. Then AI agents showed up. A modern agentic AI stack in 2026 looks like this: Every one of those surfaces is an attack vector. And none of the existing security tools scan them. A poisoned SKILL.md file can: This isn't theoretical. We found these patterns in production MCP servers. Before building a scanner, we needed a vocabulary.
The security industry standardized on CVE (Common Vulnerabilities and Exposures) in 1999. Every vulnerability gets a unique ID, a severity score, and a published record. Security teams worldwide speak the same language. No equivalent existed for agentic AI. Cisco has an internal classification called AIUC proprietary, not public. Nobody else had published a systematic enumeration.We built one: AVE(Agentic Vulnerability Enumeration).40 published records covering the full agentic attack surface:Colons can be used to align columns. All records are public at api.piranha.bawbel.io.The standard is Apache 2.0: github.com/bawbel/bawbel-ave. Speaks the language your security team already usesEvery AVE record is mapped to established frameworks. Not marketing, the mappings are in the published JSON records at api.piranha.bawbel.io. We scanned the top 100 MCP servers on Smithery using bawbel scan. A fewexamples of what we found (servers anonymized): Tool description poisoning (AVE-2026-00002)MCP servers whose tool descriptions contain behavioral instructions targetingthe agent rather than describing what the tool does. External instruction fetch (AVE-2026-00001, CVSS-AI: 9.4)Skills that instruct the agent to load its operating instructions from anexternal URL at runtime — enabling metamorphic payload attacks. Autonomous action without confirmation (AVE-2026-00021)Skills that explicitly tell the agent not to ask for user confirmation beforetaking irreversible actions. bawbel-scanner runs 6 engines in sequence: Stage 0: MagikaML-based content-type verification. Catches ELF binaries, Windows PE32, PHPscripts, and shell scripts uploaded with .md or .yaml extensions. Mapsto AVE-2026-00024 (binary content disguised as skill file). Stage 1a: Pattern (37 rules)Pure Python regex. No dependencies. Always runs. Covers all 40 AVE IDs.Returns in ~15ms on a typical skill file. Stage 1b: YARA (39 rules)Binary + text matching. Handles Unicode homoglyph attacks where Cyrilliccharacters replace Latin ones in attack strings. Stage 1c: Semgrep (41 rules)Structural pattern matching. Handles multi-line patterns that regex misses. Stage 2: LLMSemantic analysis via LiteLLM — any provider, any model. Catches novel attackpatterns that rule-based engines miss. Optional, skipped if no API key. Stage 3: Behavioral sandboxDocker + eBPF syscall tracing. Runs the skill in isolation and monitors what it actually does. Catches obfuscated attacks that evade static analysis. Security tools that cry wolf get disabled. We built 5 layers of FP reduction: Code fence stripping: content inside ... blocks is replacedwith blank lines before static analysis. Documentation examples don't fire. Negation context: if the line above a match contains "bad example:","avoid:", "❌", etc., the finding is suppressed. Confidence scoring: 10 signals (negation context, table position,heading position, docs path, match length, line position, multi-engineagreement, skill file name, CVSS score) combine into a 0–1 confidence.Findings below 0.80 are moved to suppressed_findings. LLM meta-analysis: one API call per file covers allmedium-confidence findings. Verdicts: real, false_positive, needs_review. File-type profiles: documentation files require confidence > 0.85.Skill files use a lower threshold of 0.60. Result: 21 documentation files → 0 active findings. The extension (v1.1.0) is live on the Marketplace: Save a skill file → squiggles appear in ~25ms. Hover to see: Right-click any squiggle → suppress false positive → inserts<!-- bawbel-ignore: bawbel-shell-pipe --> at end of line. Suppression isattributed to the developer via git config user.name. Commit
.bawbel-suppress.json to share suppressions with your team. Installs scanner. Runs scan. Uploads SARIF to the GitHub Security tab. Blocks merges on CRITICAL or HIGH findings. Pre-commit, GitLab CI, Jenkins, CircleCI templates also available. The 2026 MCP roadmap (per Anthropic's David Soria Parra at AI Engineer Europe) introduces new attack surfaces: AVE records 41–45 and the corresponding scanner rules are on the v1.1.0 roadmap (Q2 2026). If you build agents, this is your security layer. Everything is open source. Stars and contributions welcome. bawbel.io · @bawbel_io Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse
