Ghidra (GhidraMCP) — agentic threat model
GhidraMCP presents a high-risk profile due to its direct exposure to untrusted, potentially malicious binaries which can execute indirect prompt injection attacks through decompiled output, potentially leading to host compromise via the live Ghidra instance.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
The foundation model is highly vulnerable to indirect prompt injection. Malicious binaries can be crafted to contain specific string patterns or symbol names that, when decompiled and fed to the LLM, hijack its instructions to execute arbitrary actions.
Data operations involve ingestion of untrusted binary files. Malicious samples can poison the agent's context window with misleading decompiled code, leading to incorrect analysis or exploitation of the parser.
The MCP framework exposes powerful tools to drive Ghidra (decompilation, renaming, analysis). If the agent is compromised via prompt injection, these tools can be abused to corrupt the Ghidra project or execute malicious Ghidra scripts.
The agent drives a live Ghidra instance on the host. If Ghidra runs unsandboxed, vulnerabilities in Ghidra's analysis engine or the MCP server itself could allow a malicious binary to achieve host-level remote code execution (RCE).
Not certain from the listing — there is no mention of logging, guardrails, or observability mechanisms to detect when the LLM is being manipulated by decompiled binary contents.
Not certain from the listing — no security policies, authentication mechanisms, or compliance frameworks are specified for the MCP connection or the Ghidra instance.
Not certain from the listing — while MCP supports multi-agent orchestration, the listing does not specify if this agent interacts with other agents or operates in isolation.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).