AgentReadyHomeAgent Listing

← mcp-osv (gleicon)

mcp-osv (gleicon) — agentic threat model

7.3AIVSS 7.3 · High

mcp-osv acts as a local security utility with access to the host filesystem for secret scanning and external APIs for vulnerability lookups. Its primary risk lies in potential tool misuse, where an LLM or malicious agent could exploit it to read sensitive local files or exfiltrate discovered credentials.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.8AARS uplift 0.51Factor sum 1.6/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.00
Contextual Awareness
0.20
Dynamic Identity
0.10
Multi-Agent Interactions
0.30
Non-Determinism
0.10
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing describes an MCP server (tool provider) rather than the foundation model itself. Model-level threats like adversarial manipulation or alignment issues depend entirely on the external LLM client hosting this tool.

L2 · Data Operations✓ mapped

Queries the external OSV.dev database and reads local source code files for Gitleaks scanning. Threats include data poisoning of the external vulnerability database and potential exfiltration of local source code or discovered secrets if the data flow is intercepted.

L3 · Agent Frameworks✓ mapped

Exposes Gitleaks and OSV.dev lookups via the Model Context Protocol (MCP). Threats include tool misuse, where a compromised or confused agent is manipulated into scanning unauthorized directories or exposing sensitive files via path traversal.

L4 · Deployment & Infrastructure✓ mapped

Communicates over stdio via MCP, meaning it runs locally within the host environment of the client. Threats include host file system compromise and privilege escalation if the MCP host runs with excessive permissions without container sandboxing.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, evaluation frameworks, or guardrails to monitor the queries being made or to detect anomalous scanning behavior.

L6 · Security & Compliance (cross-cutting)✓ mapped

Lacks independent authentication or authorization mechanisms, relying entirely on the transport layer (stdio) and the host MCP client's security policy to restrict access to its capabilities.

L7 · Agent Ecosystem✓ mapped

Operates within the MCP ecosystem. Threats include agent-to-agent trust abuse, where a secondary malicious agent interacts with the primary agent to trigger secret scans and harvest credentials from the local environment.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).