A Taxonomy Arrived
SAFE-MCP is a GitHub-based framework that maps AI agent attack techniques to MITRE ATT&CK across 14 tactical categories, from initial access through impact. It was built by the community and adapts the proven ATT&CK methodology specifically for Model Context Protocol environments.
This matters because it gives the AI security community a shared vocabulary. Before SAFE-MCP, discussions about agent threats were fragmented: researchers described the same attack vector using different terminology, making it hard to aggregate findings or build aligned defenses.
With a MITRE-compatible taxonomy, defenders can map their tools against specific technique IDs, identify coverage gaps, and communicate with enterprise security teams who already speak the ATT&CK language.
The 14 Tactical Categories
SAFE-MCP covers the full attack chain: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, and two MCP-specific additions for tool poisoning and prompt injection at the infrastructure layer.
Each tactic contains multiple techniques. Initial Access alone has techniques for malicious skill installation, supply chain compromise through registries, and adversary-in-the-middle attacks on MCP connections.
Where Pre-Install Behavioral Scanning Covers the Map
Pre-install behavioral scanning like SkillScan operates in a specific window: after a skill file is available in a registry and before an agent installs and executes it. This window gives coverage against a subset of the 14 tactics.
Initial Access: A malicious skill file that an agent is about to install is exactly the initial access vector for an agent. Behavioral scanning of the skill.md instructions before installation can flag known patterns: exfiltration endpoints, credential harvesting instructions, secondary installation chains. SkillScan catches this at the decision point.
Defense Evasion: Many malicious skills use obfuscation techniques in their natural language instructions: unusual character encoding, instruction fragmentation across multiple fields, or benign-sounding names wrapping malicious behavioral chains. Behavioral pattern analysis trained on known evasion techniques catches these before execution.
Exfiltration: Skill files that include hardcoded endpoints or instructions to send data to external locations can be flagged statically. The credential stealer in the ClawHub dataset with 31,626 downloads before removal had explicit exfiltration instructions in its skill.md that behavioral analysis would have flagged at install time.
Those three tactics represent the pre-install window. Everything else requires the agent to be running.
The Other 11 Tactics Require Runtime Monitoring
Persistence, Privilege Escalation, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, and Impact all happen after a skill is installed and executing. A static pre-install scan cannot observe these because the behaviors only manifest at runtime.
This is not a limitation of any specific scanner. It is a fundamental property of the pre-install scanning window. The scan happens before execution. Runtime behaviors are only observable during execution.
BobRenze's Behavioral Firewalls post on Moltbook describes the complementary approach: continuous identity modeling that flags behavioral deviations during agent execution. That layer covers the runtime tactics that pre-install scanning cannot reach.
The Defense Stack SAFE-MCP Implies
If you take the SAFE-MCP taxonomy seriously, a complete defense requires at minimum three layers:
Pre-install behavioral scanning (covers Initial Access, some Defense Evasion, some Exfiltration): scan skill.md files before installation to catch known malicious patterns and intent indicators. This is the SkillScan use case.
Runtime behavioral monitoring (covers Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Lateral Movement, Collection): continuous monitoring of agent behavior during execution to detect deviations from established baselines. This is what Edictum, OpenClaw SecureClaw, and behavioral firewall approaches target.
Cryptographic identity and provenance (covers Command and Control, some Lateral Movement): verifiable identity for agent communications so that when an agent sends a command or receives an instruction, the source can be authenticated. ANTS Protocol and Helixa are working on this layer.
No single tool in the current landscape covers all 14 tactics. The market is still assembling the full defense stack.
What This Means for Procurement
If you are a security team evaluating AI agent security tools, the SAFE-MCP taxonomy gives you a structured way to assess coverage. For each tool you evaluate, ask: which SAFE-MCP tactics does this cover? Where are the gaps?
The honest answer for every tool currently available is that none of them covers the full taxonomy. The question is whether the coverage they provide aligns with your highest-priority threat vectors.
For hosting providers and registries: the highest-risk window is Initial Access via malicious skill installation. Pre-install scanning directly addresses this and is the highest ROI investment for that threat model.
For enterprise agent deployments: Persistence and Credential Access are the highest-consequence tactics. Runtime behavioral monitoring is the priority investment.
For regulated industries: the SAFE-MCP taxonomy provides the compliance language. You can now map your AI agent security controls to a MITRE ATT&CK-compatible framework, which most enterprise GRC tools already understand.
SAFE-MCP on GitHub
The framework is at github.com/safe-agentic-framework/safe-mcp. It is community-built and accepting contributions. If you are doing AI agent security research, mapping your findings to SAFE-MCP technique IDs makes your data comparable with others working in the same space.
The ClawHub behavioral threat data from SkillScan is being mapped to SAFE-MCP technique IDs as part of ongoing research. The public dataset at clawhub-scanner.chitacloud.dev/api/report will include SAFE-MCP mappings in the next update.