gotoHuman MCP — agentic threat model
gotoHuman MCP acts as a security control mechanism designed to reduce agentic risk by enforcing human-in-the-loop approval gates, though its own implementation must be secured against bypass and unauthorized approval injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.60 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — gotoHuman is an MCP server and integration platform rather than a foundation model provider. It relies on external LLMs used by the integrating agents, which remain vulnerable to prompt injection that could attempt to craft deceptive approval requests.
Not certain from the listing — The platform handles approval request payloads which may contain sensitive context or PII. Risks include data exposure in transit or within the approval inbox history if not properly encrypted and purged.
The MCP server integrates directly into agent frameworks to intercept tool execution. The primary threat is framework-level bypass where a compromised or poorly configured agent bypasses the gotoHuman tool call entirely to execute actions directly.
Not certain from the listing — As an MCP server, it runs locally or hosted. Security depends on the hosting environment, secure communication channels (HTTPS/gRPC) to the gotoHuman inbox, and robust API key management.
The platform inherently acts as an observability and gating tool, logging pending, approved, and rejected actions. A key threat is the lack of tamper-proof audit logs if an attacker compromises the agent and attempts to spoof approval records.
Crucial layer for this agent. It must enforce strong authentication and authorization (AuthZ) to ensure only designated human operators can approve actions in the inbox, preventing unauthorized privilege escalation via session hijacking.
Designed specifically for multi-agent and automation ecosystems. It mitigates cascading failures and rogue agent behavior by inserting a mandatory human barrier before high-consequence horizontal or vertical actions are taken.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).