AgentReadyHomeAgent Listing

← arXiv MCP (cyanheads)

arXiv MCP (cyanheads) — agentic threat model

4.6AIVSS 4.6 · Medium

The arXiv MCP agent is a read-only tool for searching and retrieving academic papers, presenting low direct operational risk but a notable vulnerability to indirect prompt injection via untrusted paper content.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 4.3AARS uplift 0.85Factor sum 1.5/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.00
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.20
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

The underlying foundation model is highly vulnerable to indirect prompt injection payloads embedded within retrieved arXiv paper abstracts or full-text content, potentially hijacking the model's session.

L2 · Data Operations✓ mapped

Data operations involve fetching public, untrusted external PDFs and metadata from arXiv. While the connection is read-only, there is a risk of data poisoning if malicious actors upload papers containing injection payloads to arXiv.

L3 · Agent Frameworks✓ mapped

The MCP tool integration must safely handle raw text and PDF parsing. Insecure tool integration could allow malformed PDF structures or embedded scripts to exploit the parsing libraries or the orchestrating framework.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment of the MCP host is unspecified, but it requires outbound network access to the public arXiv API, which should be sandboxed to prevent SSRF or lateral movement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of input/output filtering, guardrails, or logging mechanisms to detect and intercept prompt injection payloads contained within the retrieved paper texts.

L6 · Security & Compliance (cross-cutting)✓ mapped

The tool is open source and read-only over public data, meaning it does not handle sensitive user credentials or PII, minimizing compliance overhead, though it lacks built-in content validation policies.

L7 · Agent Ecosystem✓ mapped

Designed as an MCP tool to be called by other orchestrator agents. A compromised or hijacked orchestrator could abuse this tool to perform denial-of-service volume requests against arXiv or propagate injected payloads to other downstream agents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).