AgentReadyHomeAgent Listing

← legalize-mcp

legalize-mcp — agentic threat model

4.3AIVSS 4.3 · Medium

legalize-mcp is a low-risk, read-only MCP server focused on legal text retrieval. Its primary security exposure is limited to handling external untrusted legal texts and managing a GitHub API token.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 4.3AARS uplift 0.76Factor sum 1.4/10Threat ×0.95Mitigation ×0.85
Autonomy of Action
0.10
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.00
Contextual Awareness
0.30
Dynamic Identity
0.20
Multi-Agent Interactions
0.10
Non-Determinism
0.20
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent acts as an MCP server and does not specify a native foundation model. It relies on the host client's LLM, making it susceptible to indirect prompt injection if retrieved legal texts contain adversarial instructions.

L2 · Data Operations✓ mapped

Retrieves national legislation from 37 jurisdictions via the legalize-dev corpus. Main threat is data poisoning of the upstream corpus or integrity issues during retrieval, though the tool itself is read-only.

L3 · Agent Frameworks✓ mapped

Provides explicit tools for searching, retrieving laws, and browsing reform history. The tool execution risk is low due to its read-only nature, but input validation is required to prevent path traversal or query injection.

L4 · Deployment & Infrastructure✓ mapped

Requires hosting as an MCP server. It handles a GitHub token for corpus access and writes to a local audit directory, requiring secure file permissions and safe environment variable handling.

L5 · Evaluation & Observability✓ mapped

Features built-in audit logging of queries to a designated directory, providing good local traceability, though it lacks active runtime guardrails or anomaly detection.

L6 · Security & Compliance (cross-cutting)✓ mapped

Provides basic audit trails for compliance. However, it lacks built-in authentication or fine-grained authorization, relying entirely on the host MCP client's security posture.

L7 · Agent Ecosystem✓ mapped

Designed to operate within an MCP ecosystem. While it does not orchestrate multi-agent workflows natively, other agents can call its tools, potentially propagating poisoned legal text downstream.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).