AgentReadyHomeAgent Listing

← gitbook-mcp

gitbook-mcp — agentic threat model

5.2AIVSS 5.2 · Medium

The gitbook-mcp agent presents a low-to-moderate risk profile due to its read-only nature and scoped API access, with the primary threats being indirect prompt injection from untrusted GitBook content and potential exposure of the GitBook API token.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.3AARS uplift 0.52Factor sum 1.1/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.00
Contextual Awareness
0.20
Dynamic Identity
0.10
Multi-Agent Interactions
0.00
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not specify the underlying LLM used by the assistant. Standard risks like prompt injection via retrieved GitBook content (indirect prompt injection) apply if the LLM processes untrusted documentation.

L2 · Data Operations✓ mapped

The agent retrieves GitBook spaces, pages, and search results. The primary threat is indirect prompt injection or data exfiltration if GitBook content contains malicious payloads or sensitive data.

L3 · Agent Frameworks✓ mapped

The MCP server integrates with AI assistants. Vulnerabilities in the MCP tool-calling framework or insecure handling of the retrieved content could lead to tool misuse or orchestrator compromise.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment for the MCP server is not specified. It requires storing a GITBOOK_API_TOKEN, which is vulnerable to exposure if the hosting environment or environment variables are compromised.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of logging, guardrails, or evaluation metrics for the retrieved content or queries.

L6 · Security & Compliance (cross-cutting)✓ mapped

The tool enforces read-only access and org/space scoping for the GITBOOK_API_TOKEN, limiting the blast radius of a compromised token.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — No multi-agent interactions are described, but if integrated into a multi-agent system, compromised GitBook content could propagate malicious instructions to other downstream agents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).