AgentReadyHomeAgent Listing

← Bankless Onchain MCP

Bankless Onchain MCP — agentic threat model

6.1AIVSS 6.1 · Medium

The Bankless Onchain MCP is a read-only blockchain data agent with low agentic risk, but it is highly exposed to untrusted, attacker-crafted onchain data that could lead to downstream injection attacks.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.3AARS uplift 0.75Factor sum 1.6/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.10
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.00
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.20
Non-Determinism
0.20
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation model is not specified; however, processing untrusted onchain strings (like malicious token names) could trigger indirect prompt injection or model reprogramming.

L2 · Data Operations✓ mapped

The data operations layer ingests public blockchain data, which is highly susceptible to data poisoning. Attackers can deploy malicious smart contracts or mint tokens with malicious metadata to poison the agent's context.

L3 · Agent Frameworks✓ mapped

The agent framework integrates read-only tools for ERC20 and smart-contract state lookups. The primary risk is insecure tool integration where returned untrusted strings are executed or rendered without sanitization.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting and deployment infrastructure of the MCP server is not specified, but it requires outbound network access to blockchain RPC nodes, presenting potential SSRF or network exposure risks.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in observability, logging, or guardrails are mentioned to detect or filter malicious blockchain payloads before they reach the consuming agent.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent is open-source and free, but lacks explicit authentication, authorization, or compliance controls for data validation, relying entirely on the host environment's security posture.

L7 · Agent Ecosystem✓ mapped

Designed as an MCP tool for other agents, this agent introduces cascading failure risks in multi-agent ecosystems if consuming agents implicitly trust the onchain data it retrieves.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).