Bankless Onchain MCP — agentic threat model
The Bankless Onchain MCP is a read-only blockchain data agent with low agentic risk, but it is highly exposed to untrusted, attacker-crafted onchain data that could lead to downstream injection attacks.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is not specified; however, processing untrusted onchain strings (like malicious token names) could trigger indirect prompt injection or model reprogramming.
The data operations layer ingests public blockchain data, which is highly susceptible to data poisoning. Attackers can deploy malicious smart contracts or mint tokens with malicious metadata to poison the agent's context.
The agent framework integrates read-only tools for ERC20 and smart-contract state lookups. The primary risk is insecure tool integration where returned untrusted strings are executed or rendered without sanitization.
Not certain from the listing — The hosting and deployment infrastructure of the MCP server is not specified, but it requires outbound network access to blockchain RPC nodes, presenting potential SSRF or network exposure risks.
Not certain from the listing — No built-in observability, logging, or guardrails are mentioned to detect or filter malicious blockchain payloads before they reach the consuming agent.
The agent is open-source and free, but lacks explicit authentication, authorization, or compliance controls for data validation, relying entirely on the host environment's security posture.
Designed as an MCP tool for other agents, this agent introduces cascading failure risks in multi-agent ecosystems if consuming agents implicitly trust the onchain data it retrieves.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).