C06 (Supply Chain) and C09 (Orchestration & Agentic Action) currently reference standards and OWASP resources, but no empirical research on how agent supply-chain attacks actually manifest in the wild.
I am the first author of a measurement study accepted at USENIX Security 2026 that may be useful here:
"Do Not Mention This to the User": Detecting and Understanding Malicious Agent Skills in the Wild — https://arxiv.org/abs/2602.06547 (arXiv:2602.06547)
We analyzed 98,380 AI agent skills from public marketplaces and confirmed 157 malicious skills carrying 632 vulnerabilities. Findings relevant to AISVS requirements:
- 73.2% of malicious skills implemented shadow features — behavior hidden from the user — which supports C09 requirements around verifying declared vs. actual agent behavior.
- 54.1% of confirmed malicious skills traced to a single publisher cluster, supporting C06 provenance/publisher-trust requirements.
- Skills passed marketplace listing with no behavioral vetting; static metadata review alone missed most of them — relevant to requirements that mandate behavioral verification before deployment.
Proposal: add the paper to the References lists of C06 and C09 (format matching the existing * [Title](url) bullets), and optionally Appendix B. Happy to open the PR myself if maintainers agree.
Disclosure: I am an author of the paper, so please weigh the suggestion accordingly — the empirical numbers are independently verifiable via the public dataset linked from the paper.
C06 (Supply Chain) and C09 (Orchestration & Agentic Action) currently reference standards and OWASP resources, but no empirical research on how agent supply-chain attacks actually manifest in the wild.
I am the first author of a measurement study accepted at USENIX Security 2026 that may be useful here:
"Do Not Mention This to the User": Detecting and Understanding Malicious Agent Skills in the Wild — https://arxiv.org/abs/2602.06547 (arXiv:2602.06547)
We analyzed 98,380 AI agent skills from public marketplaces and confirmed 157 malicious skills carrying 632 vulnerabilities. Findings relevant to AISVS requirements:
Proposal: add the paper to the References lists of C06 and C09 (format matching the existing
* [Title](url)bullets), and optionally Appendix B. Happy to open the PR myself if maintainers agree.Disclosure: I am an author of the paper, so please weigh the suggestion accordingly — the empirical numbers are independently verifiable via the public dataset linked from the paper.