AgentReadyHomeAgent Listing

← gotoHuman MCP

gotoHuman MCP — agentic threat model

3.6AIVSS 3.6 · Low

gotoHuman MCP acts as a security control mechanism designed to reduce agentic risk by enforcing human-in-the-loop approval gates, though its own implementation must be secured against bypass and unauthorized approval injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.3AARS uplift 0.88Factor sum 2.5/10Threat ×0.95Mitigation ×0.5
Autonomy of Action
0.10
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.20
Contextual Awareness
0.40
Dynamic Identity
0.20
Multi-Agent Interactions
0.60
Non-Determinism
0.20
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — gotoHuman is an MCP server and integration platform rather than a foundation model provider. It relies on external LLMs used by the integrating agents, which remain vulnerable to prompt injection that could attempt to craft deceptive approval requests.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The platform handles approval request payloads which may contain sensitive context or PII. Risks include data exposure in transit or within the approval inbox history if not properly encrypted and purged.

L3 · Agent Frameworks✓ mapped

The MCP server integrates directly into agent frameworks to intercept tool execution. The primary threat is framework-level bypass where a compromised or poorly configured agent bypasses the gotoHuman tool call entirely to execute actions directly.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — As an MCP server, it runs locally or hosted. Security depends on the hosting environment, secure communication channels (HTTPS/gRPC) to the gotoHuman inbox, and robust API key management.

L5 · Evaluation & Observability✓ mapped

The platform inherently acts as an observability and gating tool, logging pending, approved, and rejected actions. A key threat is the lack of tamper-proof audit logs if an attacker compromises the agent and attempts to spoof approval records.

L6 · Security & Compliance (cross-cutting)✓ mapped

Crucial layer for this agent. It must enforce strong authentication and authorization (AuthZ) to ensure only designated human operators can approve actions in the inbox, preventing unauthorized privilege escalation via session hijacking.

L7 · Agent Ecosystem✓ mapped

Designed specifically for multi-agent and automation ecosystems. It mitigates cascading failures and rogue agent behavior by inserting a mandatory human barrier before high-consequence horizontal or vertical actions are taken.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).