AgentReadyHomeAgent Listing

← arXiv MCP

arXiv MCP — agentic threat model

5.0AIVSS 5.0 · Medium

The arXiv MCP is a read-only research tool with low agentic risk due to its lack of write actions, but it introduces a notable indirect prompt injection vector via untrusted academic abstracts and PDF content ingested into the model context.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 4.3AARS uplift 0.68Factor sum 1.2/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.10
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.00
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.10
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

The underlying foundation model is highly vulnerable to indirect prompt injection payloads embedded within retrieved arXiv abstracts or PDF text, potentially hijacking the model's subsequent instructions.

L2 · Data Operations✓ mapped

Data operations involve pulling public, read-only metadata and PDF links from arXiv. While the source is public, there is no validation or sanitization of the retrieved text, allowing untrusted data to enter the context window.

L3 · Agent Frameworks✓ mapped

The agent framework exposes basic search and retrieval tools. The primary threat is insecure tool integration where the orchestrator blindly trusts and processes the text returned by the arXiv MCP tool.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — deployment details depend entirely on the host environment running the MCP host. No API keys are required, reducing credential exposure, but the host must safely handle outbound HTTPS requests to arXiv.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in guardrails, input/output filtering, or logging mechanisms to detect malicious injection payloads within the retrieved academic papers.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — the tool is open-source and free with no built-in authentication or authorization controls, relying entirely on the parent application's security posture.

L7 · Agent Ecosystem✓ mapped

In a multi-agent ecosystem, this agent acts as a specialized utility. If compromised via indirect injection, it could propagate poisoned data or malicious instructions to downstream orchestrators or other agents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).