AgentReadyHomeAgent Listing

← mcp-nvd (marcoeg)

mcp-nvd (marcoeg) — agentic threat model

4.9AIVSS 4.9 · Medium

The mcp-nvd agent is a highly focused, read-only tool with minimal agentic risk, primarily acting as an informational bridge to the NIST NVD API. Its main security exposure is the potential ingestion of attacker-controlled CVE descriptions into an LLM context, which could trigger downstream prompt injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 4.3AARS uplift 0.6Factor sum 1.1/10Threat ×0.95Mitigation ×1.0
Autonomy of Action
0.10
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.00
Contextual Awareness
0.20
Dynamic Identity
0.10
Multi-Agent Interactions
0.10
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

The agent itself does not host a foundation model, but it feeds external CVE data directly into consuming LLMs. The primary threat is indirect prompt injection, where an attacker crafts a malicious CVE description in the NVD database to hijack the consuming model's behavior upon retrieval.

L2 · Data Operations✓ mapped

Data operations are limited to querying the external NIST NVD API. There is no local vector database or RAG store to poison, but the agent relies entirely on the integrity and availability of the upstream NVD data source.

L3 · Agent Frameworks✓ mapped

As an MCP server, it exposes structured tools for CVE lookup. The tool surface is read-only and highly constrained, minimizing risks of tool misuse or arbitrary code execution, though the consuming framework must safely handle the returned JSON payload.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — the deployment model depends on how the host runs this MCP server (e.g., locally via Node/Python or inside a container). If run locally without sandboxing, any vulnerability in the MCP host or the tool's dependencies could expose the host system.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in logging, rate-limiting, or input/output guardrails within this lightweight tool. Monitoring of API usage and payload sanitization must be handled by the orchestrating framework.

L6 · Security & Compliance (cross-cutting)✓ mapped

The tool is open-source and free with no built-in authentication or authorization mechanisms. It relies on the host environment to manage API keys (if required by NVD for higher rate limits) and to enforce access controls.

L7 · Agent Ecosystem✓ mapped

In a multi-agent ecosystem, this agent serves as a specialized utility. If compromised or fed malicious data, it could propagate inaccurate vulnerability information or indirect injections to orchestrator agents, potentially causing cascading analytical errors.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).