AgentReadyHomeAgent Listing

← Academic Search MCP

Academic Search MCP — agentic threat model

6.6AIVSS 6.6 · Medium

The Academic Search MCP agent presents a low-to-moderate risk profile, primarily acting as a read-only gateway to academic literature. Its main security surface is the ingestion of untrusted external text (abstracts and metadata) which could serve as a vector for indirect prompt injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.8AARS uplift 0.84Factor sum 2.0/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.00
Contextual Awareness
0.40
Dynamic Identity
0.10
Multi-Agent Interactions
0.30
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation model is not specified. However, the primary L1 threat is indirect prompt injection, where malicious instructions embedded in academic paper abstracts or metadata reprogram the model's behavior during processing.

L2 · Data Operations✓ mapped

The agent ingests external, untrusted data from the Semantic Scholar API (metadata, abstracts, citation graphs). This introduces a risk of data poisoning or formatting exploits if the retrieved content contains malicious payloads designed to exploit parser vulnerabilities or manipulate downstream agent logic.

L3 · Agent Frameworks✓ mapped

The agent uses the Model Context Protocol (MCP) to expose search and recommendation tools. Threats include insecure tool integration, lack of input validation on search queries, and potential resource exhaustion during batch metadata retrieval operations.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting and deployment environment of the MCP server is not detailed. The primary infrastructure threat is the exposure or theft of the Semantic Scholar API key if it is insecurely stored in environment variables or configuration files.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of logging, monitoring, or guardrails. The lack of observability could lead to blind spots, preventing the detection of anomalous search patterns or successful indirect prompt injection attacks.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No authentication, authorization, or compliance frameworks are specified. Without access controls, unauthorized clients could abuse the MCP server, potentially exhausting the Semantic Scholar API rate limits or quotas.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent is designed to integrate into broader agentic ecosystems. A compromised or manipulated search result could lead to cascading failures or trust abuse if other orchestrator agents consume its output without sanitization.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).