legalize-mcp — agentic threat model
legalize-mcp is a low-risk, read-only MCP server focused on legal text retrieval. Its primary security exposure is limited to handling external untrusted legal texts and managing a GitHub API token.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent acts as an MCP server and does not specify a native foundation model. It relies on the host client's LLM, making it susceptible to indirect prompt injection if retrieved legal texts contain adversarial instructions.
Retrieves national legislation from 37 jurisdictions via the legalize-dev corpus. Main threat is data poisoning of the upstream corpus or integrity issues during retrieval, though the tool itself is read-only.
Provides explicit tools for searching, retrieving laws, and browsing reform history. The tool execution risk is low due to its read-only nature, but input validation is required to prevent path traversal or query injection.
Requires hosting as an MCP server. It handles a GitHub token for corpus access and writes to a local audit directory, requiring secure file permissions and safe environment variable handling.
Features built-in audit logging of queries to a designated directory, providing good local traceability, though it lacks active runtime guardrails or anomaly detection.
Provides basic audit trails for compliance. However, it lacks built-in authentication or fine-grained authorization, relying entirely on the host MCP client's security posture.
Designed to operate within an MCP ecosystem. While it does not orchestrate multi-agent workflows natively, other agents can call its tools, potentially propagating poisoned legal text downstream.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).