mcp-nvd (marcoeg) — agentic threat model
The mcp-nvd agent is a highly focused, read-only tool with minimal agentic risk, primarily acting as an informational bridge to the NIST NVD API. Its main security exposure is the potential ingestion of attacker-controlled CVE descriptions into an LLM context, which could trigger downstream prompt injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.10 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
The agent itself does not host a foundation model, but it feeds external CVE data directly into consuming LLMs. The primary threat is indirect prompt injection, where an attacker crafts a malicious CVE description in the NVD database to hijack the consuming model's behavior upon retrieval.
Data operations are limited to querying the external NIST NVD API. There is no local vector database or RAG store to poison, but the agent relies entirely on the integrity and availability of the upstream NVD data source.
As an MCP server, it exposes structured tools for CVE lookup. The tool surface is read-only and highly constrained, minimizing risks of tool misuse or arbitrary code execution, though the consuming framework must safely handle the returned JSON payload.
Not certain from the listing — the deployment model depends on how the host runs this MCP server (e.g., locally via Node/Python or inside a container). If run locally without sandboxing, any vulnerability in the MCP host or the tool's dependencies could expose the host system.
Not certain from the listing — there is no mention of built-in logging, rate-limiting, or input/output guardrails within this lightweight tool. Monitoring of API usage and payload sanitization must be handled by the orchestrating framework.
The tool is open-source and free with no built-in authentication or authorization mechanisms. It relies on the host environment to manage API keys (if required by NVD for higher rate limits) and to enforce access controls.
In a multi-agent ecosystem, this agent serves as a specialized utility. If compromised or fed malicious data, it could propagate inaccurate vulnerability information or indirect injections to orchestrator agents, potentially causing cascading analytical errors.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).