AgentReadyHomeAgent Listing

← ClinicalTrials.gov MCP

ClinicalTrials.gov MCP — agentic threat model

5.1AIVSS 5.1 · Medium

The ClinicalTrials.gov MCP is a read-only tool with low inherent agentic risk due to its lack of autonomous execution or statefulness, but it carries data privacy and indirect prompt injection risks when handling sensitive patient data and untrusted external study text.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.3AARS uplift 0.75Factor sum 1.6/10Threat ×1.0Mitigation ×0.85
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.00
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.20
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The connector does not specify the underlying foundation model used for matching, but any LLM consuming this tool is vulnerable to indirect prompt injection via untrusted study text retrieved from the public registry.

L2 · Data Operations✓ mapped

Retrieves public data from the ClinicalTrials.gov v2 API. While the source is a trusted government registry, the retrieved study text must be treated as untrusted external content. Patient data used for matching represents highly sensitive health context that requires strict client-side isolation to prevent data exfiltration.

L3 · Agent Frameworks✓ mapped

Exposed as an MCP tool. Vulnerabilities include insecure tool integration if the orchestrating agent framework fails to sanitize inputs/outputs or passes sensitive patient context to unencrypted logs or external APIs during the matching process.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment of the MCP server is unspecified. Security relies on the host environment's network security, secure transport (HTTPS) to the government API, and sandboxing of the runtime.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in observability, logging, or guardrails are mentioned. Monitoring is required to detect anomalous query volumes or attempts to exfiltrate patient data through matching queries.

L6 · Security & Compliance (cross-cutting)✓ mapped

The patient-to-trial matching capability touches sensitive health context, introducing significant compliance risks (e.g., HIPAA, GDPR). The listing mitigates this by recommending that patient data stay client-side, but enforcement depends entirely on the implementing system's policy engine.

L7 · Agent Ecosystem✓ mapped

As an open-source MCP tool, it is designed to be integrated into larger agentic workflows. Risks include cascading failures if the upstream government API is rate-limited, and trust abuse if a compromised orchestrator forwards patient data retrieved or processed by this tool to unauthorized third-party agents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).