genomoncology/biomcp — agentic threat model
BioMCP is a read-only biomedical data retrieval agent with low agentic risk due to its reliance on public APIs, lack of write actions, and absence of persistent state or self-modification capabilities.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — BioMCP acts as an MCP server and does not specify its underlying foundation model. It is susceptible to standard L1 risks like prompt injection via malicious biomedical data retrieved from public sources.
Data operations rely on public, authoritative APIs (PubMed, ClinicalTrials.gov, MyVariant.info). The primary threat is downstream data poisoning if these external sources are manipulated, or indirect prompt injection embedded in publication abstracts.
The agent framework orchestrates tool calls to external biomedical databases. Risks include insecure tool integration where malformed API responses could cause denial of service or parser exploits within the MCP host.
Not certain from the listing — The deployment environment depends entirely on the user's local MCP host configuration. If run unsandboxed, vulnerabilities in the server code could expose the host system to local exploitation.
Not certain from the listing — There is no mention of built-in evaluation, logging, or guardrails to detect anomalous queries or malicious payloads returned from the external APIs.
Credential risk is low as the sources are public. However, there are no explicit authentication or authorization controls mentioned for restricting access to the MCP server itself.
As an MCP tool provider, BioMCP is designed to be called by other agents. The primary ecosystem risk is cascading trust abuse, where a compromised orchestrator agent uses BioMCP to fetch and process malicious payloads.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).