| AUTH-001 | OAuth 2.1 implementation present | Authentication | high | CWE-287 | Yes |
| AUTH-002 | PKCE enforcement on OAuth flows | Authentication | high | CWE-287 | Yes |
| AUTH-003 | Token storage audit (plaintext detection) | Authentication | critical | CWE-312 | Yes |
| AUTH-004 | HTTPS enforcement on all OAuth URLs | Authentication | high | CWE-319 | Yes |
| AUTH-005 | Token scope analysis (overly broad) | Authentication | medium | CWE-269 | Yes |
| AUTH-006 | Token expiration check (> 1 hour flagged) | Authentication | medium | CWE-613 | Yes |
| AUTH-007 | Cross-server token passthrough | Authentication | high | CWE-200 | Partial |
| AUTH-008 | Session fixation vectors | Authentication | high | CWE-384 | Partial |
| AUTH-009 | RFC 8707 resource indicator support | Authentication | medium | CWE-269 | Yes |
| TOOL-001 | Description field injection patterns | Tool Security | critical | CWE-94 | Yes |
| TOOL-002 | Parameter name injection patterns | Tool Security | critical | CWE-94 | Yes |
| TOOL-003 | Parameter type/anyOf/oneOf abuse | Tool Security | high | CWE-94 | Yes |
| TOOL-004 | Enum value injection patterns | Tool Security | high | CWE-94 | Yes |
| TOOL-005 | Tool output injection patterns | Tool Security | critical | CWE-94 | Yes |
| TOOL-006 | Tool schema hash baseline (rug pull) | Tool Security | critical | CWE-494 | Yes |
| TOOL-007 | Tool shadowing (cross-tool name collision) | Tool Security | high | CWE-706 | Yes |
| TOOL-008 | Permission scope over-privilege | Tool Security | medium | CWE-269 | Partial |
| TOOL-009 | Human approval flow presence | Tool Security | medium | CWE-862 | Yes |
| TOOL-010 | Dangerous capability combination | Tool Security | high | CWE-269 | Partial |
| INP-001 | SSRF via tool parameters (private IP ranges) | Input Validation | critical | CWE-918 | Yes |
| INP-002 | SSRF via OAuth metadata discovery | Input Validation | critical | CWE-918 | Yes |
| INP-003 | AWS/GCP/Azure metadata endpoint access | Input Validation | critical | CWE-918 | Yes |
| INP-004 | Command injection through parameters | Input Validation | critical | CWE-78 | Yes |
| INP-005 | SQL injection through AI-generated queries | Input Validation | high | CWE-89 | Yes |
| INP-006 | Path traversal in filesystem tools | Input Validation | critical | CWE-22 | Yes |
| INP-007 | DNS rebinding susceptibility | Input Validation | high | CWE-350 | Partial |
| INP-008 | XML/JSON injection in structured params | Input Validation | medium | CWE-91 | Yes |
| INP-009 | URL scheme validation (file://, gopher://) | Input Validation | high | CWE-918 | Yes |
| DATA-001 | Credential patterns in tool descriptions | Data Security | critical | CWE-200 | Yes |
| DATA-002 | PII patterns in tool responses | Data Security | high | CWE-200 | Partial |
| DATA-003 | Secrets in error messages | Data Security | high | CWE-209 | Yes |
| DATA-004 | Secrets in log output | Data Security | high | CWE-532 | Partial |
| DATA-005 | Cross-server data leakage patterns | Data Security | high | CWE-200 | Partial |
| DATA-006 | Sensitive data in URL parameters | Data Security | medium | CWE-598 | Yes |
| CHAIN-001 | npm package provenance verification | Supply Chain | high | CWE-494 | Yes |
| CHAIN-002 | Known CVE matching in dependencies | Supply Chain | varies | varies | Yes |
| CHAIN-003 | Typosquat detection (edit distance) | Supply Chain | high | CWE-494 | Yes |
| CHAIN-004 | Maintainer reputation (account age, history) | Supply Chain | medium | CWE-494 | Yes |
| CHAIN-005 | Dependency confusion risk | Supply Chain | high | CWE-427 | Yes |
| CHAIN-006 | Package integrity verification | Supply Chain | high | CWE-494 | Yes |
| CHAIN-007 | Source repo matches published package | Supply Chain | medium | CWE-494 | Yes |
| CHAIN-008 | Abandoned/unmaintained detection | Supply Chain | medium | CWE-1104 | Yes |
| INFRA-001 | Network binding audit (0.0.0.0 exposure) | Infrastructure | critical | CWE-668 | Yes |
| INFRA-002 | TLS/HTTPS enforcement | Infrastructure | high | CWE-319 | Yes |
| INFRA-003 | Rate limiting presence | Infrastructure | medium | CWE-770 | Yes |
| INFRA-004 | CORS configuration | Infrastructure | medium | CWE-942 | Yes |
| INFRA-005 | Error handling (stack traces exposed) | Infrastructure | medium | CWE-209 | Yes |
| INFRA-006 | HTTP security headers | Infrastructure | low | CWE-693 | Yes |
| INFRA-007 | DNS rebinding protection | Infrastructure | high | CWE-350 | Yes |
| INFRA-008 | Logging completeness audit | Infrastructure | medium | CWE-778 | Partial |
| RUN-001 | Guardrail bypass patterns (known evasions) | Runtime Behavior | high | CWE-693 | Partial |
| RUN-002 | Response size limits | Runtime Behavior | medium | CWE-770 | Yes |
| RUN-003 | Timeout enforcement | Runtime Behavior | medium | CWE-400 | Yes |
| RUN-004 | Concurrent request handling | Runtime Behavior | medium | CWE-362 | Partial |
| RUN-005 | Kill switch / emergency stop presence | Runtime Behavior | medium | CWE-778 | Partial |
| A2A-001 | Prompt injection in A2A Agent Card | A2A Agent Cards | critical | CWE-94 | Yes |
| A2A-002 | Obfuscated content in A2A Agent Card | A2A Agent Cards | critical | CWE-94 | Yes |
| A2A-003 | Agent Card identity spoofing | A2A Agent Cards | high | CWE-290 | Yes |
| A2A-004 | Agent Card served over HTTP | A2A Agent Cards | high | CWE-319 | Yes |
| A2A-005 | Agent Card declares excessive capabilities | A2A Agent Cards | medium | CWE-269 | Yes |
| FAIR-001 | Demographic signal in tool parameter | Fairness & Bias | medium | CWE-209 | Yes |
| FAIR-002 | Differential treatment risk | Fairness & Bias | low | CWE-209 | Yes |
| FAIR-003 | Data governance gap in tool accepting user data | Fairness & Bias | medium | CWE-209 | Yes |
CraftedTrust