Glassnode MCP — agentic threat model
The Glassnode MCP agent acts as a read-only data connector for institutional-grade financial metrics, presenting low direct agentic risk but introducing potential financial decision-making risks if its analytical outputs are manipulated.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is not specified; however, it is vulnerable to prompt injection that could cause the agent to misinterpret or misrepresent the retrieved financial metrics to the user.
The agent retrieves structured on-chain metrics and market intelligence articles via the Glassnode API. Threats include data manipulation if the upstream API is compromised, or local caching/exfiltration of sensitive paid market data.
The agent uses the Model Context Protocol (MCP) to expose tools for bulk multi-asset fetching. Threats include tool misuse where malicious prompts force excessive API calls, exhausting rate limits or paid API quotas.
The agent requires an API key to access paid Glassnode analytics. The primary threat is the insecure storage or exposure of this API key within the host environment or during transit.
Not certain from the listing — There is no mention of built-in logging, telemetry, or guardrails to monitor query volumes, detect anomalous data retrieval patterns, or verify the integrity of the returned financial metrics.
Access control is gated via a standard API key (with a 30-day limit for the free tier). There is no evidence of fine-grained role-based access control (RBAC) or compliance auditing for data usage within the agent itself.
Designed to feed analytical data into other agents' decision-making pipelines. A compromised or manipulated Glassnode agent could feed poisoned market intelligence to downstream trading or execution agents, causing cascading financial losses.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).