fosdickio/binary_ninja_mcp — agentic threat model
This agent acts as a direct bridge between LLMs and Binary Ninja, exposing decompilation and binary inspection capabilities. The primary risk lies in feeding untrusted binary outputs to the model, which could trigger prompt injection or exploit parser vulnerabilities in the hosting environment.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on external MCP-compatible LLMs. The primary threat is indirect prompt injection where malicious strings embedded in decompiled binary metadata or symbols hijack the model's instructions.
Data operations involve ingestion of binary files, decompiled code, and function metadata. Untrusted binaries can poison the context window or exploit parser vulnerabilities during the extraction of symbols and assembly.
The MCP bridge exposes Binary Ninja's API as tools. Insecure tool integration could allow an LLM, manipulated by malicious binary content, to execute arbitrary Binary Ninja API commands or Python scripts within the analyst's session.
Not certain from the listing — deployment depends on the user's local Binary Ninja environment. If run without sandboxing, a compromised agent session could lead to local host compromise or privilege escalation via the Binary Ninja process.
Not certain from the listing — there is no mention of built-in guardrails, logging, or input sanitization to filter out adversarial payloads embedded within the binary's sections or decompiled output.
Not certain from the listing — lacks explicit authentication, authorization, or policy enforcement mechanisms between the MCP client and the Binary Ninja instance, relying entirely on local transport security.
As an MCP server, this agent can be integrated into larger multi-agent workflows. A compromise here allows malicious binary analysis results to propagate and corrupt downstream reporting or decision-making agents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).