AIVSS Risk Mapping

How the Agent Passport System maps against the OWASP AI Vulnerability Scoring System. 10 risks assessed. Honest coverage. No inflated claims.

5Strong

3Partial

2Weak

What these ratings mean. Strong: cryptographic or deterministic enforcement, tested with adversarial scenarios. Partial: detection, reputation consequences, or structural mitigation, but not hard prevention. Weak: the protocol acknowledges the risk but provides minimal mitigation. All adversarial tests are developer-authored internal evaluation, not independent red-team validation.

Strong Coverage

#1 Identity Spoofing

Ed25519 key pairs bind identity to cryptographic material. Passport signatures are verified on every protocol interaction. An attacker cannot impersonate another agent without possessing its private key.

INV-1Layer 1: IdentityAdversarial: S1

#2 Access Control Violation

Scope monotonic narrowing enforced at every delegation step. The deterministic gate checks scope on every action. Sub-delegations cannot exceed parent scope. Spend limits can only decrease.

INV-2INV-3Layer 1: DelegationLayer 5: PolicyAdversarial: S2

#3 Cascading Failures

Revoking a delegation cascades to all descendants. Revocation is irreversible. A compromised intermediate agent's entire sub-tree can be neutralized by revoking its delegation.

INV-4INV-5Layer 1: DelegationAdversarial: S5

#4 Untraceable Agents

Every delegation chain traces to a human principal. Traceability (F-001) is technically enforced. Merkle attribution provides compact, verifiable proof of the beneficiary chain.

INV-8Layer 3: AttributionAdversarial: S3

#5 Tool Misuse

Three-signature chain requires intent declaration before action, policy evaluation before execution, receipt after completion. Commerce actions gated by 4-gate preflight with spend limits.

INV-6Layer 5: PolicyLayer 8: CommerceAdversarial: S4

Partial Coverage

#6 Memory Manipulation

Agora provides signed, append-only message feeds. Tampering with historical messages is detectable through signature verification. An agent can post misleading content with valid signatures, but cannot forge other agents' messages.

Layer 4: AgoraF-006: Non-DeceptionAdversarial: S6

Gap: Protocol does not protect agent internal memory (prompt context, conversation history) from manipulation. Misleading content from own identity is not blocked.

#7 Insecure Orchestration

Coordination layer provides structured task lifecycles with evidence, review, and handoff gates. MCP server, when deployed as gateway, mediates all agent actions.

Layer 6: CoordinationMCP GatewayAdversarial: S7

Gap: Orchestration bypass is possible when agents interact outside the protocol or when the MCP server is not the sole enforcement point. Strong under MCP-as-gateway, weak under voluntary SDK.

#8 Unsafe Interactions

Policy engine evaluates intents against values floor. Advisory evaluation assesses proportionality and deception. Commerce actions independently gated even when triggered from coordination.

Layer 5: PolicyF-006, F-007Adversarial: S8

Gap: Advisory evaluations are LLM-based and carry reputation consequences, not hard blocks. An agent determined to act unsafely accumulates reputation damage but is not deterministically prevented.

Weak Coverage

#9 Supply Chain

The protocol does not currently verify the provenance of its own governance artifacts (floor definitions, policy configurations, agent binaries). A compromised floor.yaml or backdoored SDK would undermine all guarantees.

Adversarial: S9 (expected fail)

Acknowledged gap. Supply chain integrity frameworks like SLSA could be integrated. This is a known limitation, not a missed requirement.

#10 Goal Manipulation

The protocol enforces scope, not intent alignment. An agent pursuing misaligned goals within literal scope passes all deterministic checks. F-008 (Epistemic Security) provides a governance principle, not a hard mitigation.

F-008: Epistemic SecurityAdversarial: S10 (expected fail)

Acknowledged gap. Goal manipulation is internal to agent reasoning (Class 3 attacker). This is fundamentally outside protocol-level enforcement. Future work: evidence-gated mechanisms, runtime attestation (Layer 9).

Full analysis in the paper: "Monotonic Narrowing for Agent Authority" (Section 7). All adversarial scenarios (S1-S10) have running tests against SDK v1.16.1.

Read Paper on Zenodo