AgentReadyHomeAgent Listing

← ArXiv Scout MCP

ArXiv Scout MCP — agentic threat model

7.9AIVSS 7.9 · High

ArXiv Scout MCP presents a moderate-to-high risk profile primarily due to its ingestion of untrusted PDF content directly into model contexts, creating a vector for indirect prompt injection, though its lack of write-access tools limits real-world physical or financial damage.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.3AARS uplift 1.55Factor sum 4.0/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.40
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.40
Persistent Memory
0.20
Contextual Awareness
0.80
Dynamic Identity
0.10
Multi-Agent Interactions
0.60
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

The agent relies on external foundation models to process extracted PDF text. The primary threat is indirect prompt injection via malicious academic papers designed to hijack the model's instructions, potentially leading to data exfiltration or unauthorized tool execution.

L2 · Data Operations✓ mapped

Data operations involve downloading public PDFs and extracting full text. The main threat is data poisoning or malicious content injection within the ingested PDFs, as the source is untrusted external academic repositories.

L3 · Agent Frameworks✓ mapped

The agent framework orchestrates advanced arXiv queries and citation tracking. Threats include tool misuse where the agent is manipulated via injected prompts to execute unintended search queries or consume excessive API/network resources.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment must securely sandbox the PDF extraction engine to prevent remote code execution (RCE) vulnerabilities commonly found in PDF parsing libraries.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, input sanitization for PDF text, or observability logging to detect and block prompt injection attempts hidden in academic papers.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The agent appears to lack explicit compliance frameworks, access controls, or licensing/copyright compliance checks for full-text PDF extraction and redistribution.

L7 · Agent Ecosystem✓ mapped

As an MCP (Model Context Protocol) tool, this agent is designed to interface directly with other host agents. A compromise or injection in ArXiv Scout can cascade to the parent agent, leading to broader system compromise.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).