Alchemy MCP Server — agentic threat model
The Alchemy MCP Server acts as a critical data and simulation gateway for blockchain-enabled agents, presenting high indirect risk; while read-oriented, its untrusted multi-chain outputs and transaction simulations can be manipulated to trick downstream agents into executing catastrophic financial transactions.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.80 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing describes an MCP server providing tools rather than a specific foundation model. However, downstream models consuming this data are vulnerable to indirect prompt injection via malicious on-chain contract metadata or transaction traces.
Retrieves multi-chain blockchain data (tokens, NFTs, transfers). The primary threat is data poisoning or provenance gaps, as returned addresses and contract data are explicitly untrusted inputs that can be spoofed on-chain to mislead the consuming agent.
Exposes transaction simulation and trace tools. Insecure tool integration is a major threat if downstream agent frameworks blindly trust simulated transaction success metrics to authorize real-world financial operations.
Operates as a remote MCP server requiring API keys. Threats include API key exposure, lack of transport layer security, and potential compromise of the remote hosting infrastructure serving the API.
Not certain from the listing — There is no mention of logging, monitoring, or guardrails to detect anomalous simulation requests, API abuse, or malicious payloads returned from the blockchain.
Uses API keys for metered access control, but lacks fine-grained authorization or input sanitization, passing untrusted blockchain data directly to the agent ecosystem without validation.
Designed specifically for agent-to-agent (A2A) and agent-to-tool ecosystems. A compromised or manipulated simulation output can cause cascading failures across multiple coordinated agents relying on the same blockchain state.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).