AgentReadyHomeAgent Listing

← kimtaeyoon83/mcp-server-youtube-transcript

kimtaeyoon83/mcp-server-youtube-transcript — agentic threat model

6.7AIVSS 6.7 · Medium

This MCP server acts as a data-retrieval tool that introduces a significant indirect prompt injection vector by feeding untrusted YouTube transcript content directly to downstream LLMs. While the tool itself has low autonomy and no planning capabilities, its integration into agentic workflows poses a risk if the calling agent lacks robust input sanitization.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.3AARS uplift 0.41Factor sum 1.1/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.10
Goal-Driven Planning
0.00
Self-Modification
0.00
Dynamic Tool Use
0.10
Persistent Memory
0.00
Contextual Awareness
0.20
Dynamic Identity
0.00
Multi-Agent Interactions
0.40
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself is model-agnostic and does not specify a foundation model. However, the untrusted transcript content returned to the model represents an indirect prompt injection surface.

L2 · Data Operations✓ mapped

Fetches external, untrusted YouTube transcripts and subtitles. This introduces a risk of data poisoning or indirect prompt injection via the fetched transcript text.

L3 · Agent Frameworks✓ mapped

This is an MCP (Model Context Protocol) server tool. It integrates into agent frameworks to provide YouTube transcript fetching. Vulnerabilities include insecure tool integration if the calling agent blindly trusts the returned transcript or executes commands embedded in it.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment (local MCP host, Docker, etc.) is not specified in the directory listing, though standard MCP servers run locally on the user's machine, potentially exposing local resources if compromised.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in evaluation, logging, or guardrails are mentioned in the directory listing for filtering malicious transcript content.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No authentication, authorization, or compliance controls are mentioned for this open-source MCP server.

L7 · Agent Ecosystem✓ mapped

Designed to be used by other agents (MCP client-server architecture). A compromised or malicious transcript could exploit downstream agents in a multi-agent or tool-use chain.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).