mcp-osv (gleicon) — agentic threat model
mcp-osv acts as a local security utility with access to the host filesystem for secret scanning and external APIs for vulnerability lookups. Its primary risk lies in potential tool misuse, where an LLM or malicious agent could exploit it to read sensitive local files or exfiltrate discovered credentials.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.10 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing describes an MCP server (tool provider) rather than the foundation model itself. Model-level threats like adversarial manipulation or alignment issues depend entirely on the external LLM client hosting this tool.
Queries the external OSV.dev database and reads local source code files for Gitleaks scanning. Threats include data poisoning of the external vulnerability database and potential exfiltration of local source code or discovered secrets if the data flow is intercepted.
Exposes Gitleaks and OSV.dev lookups via the Model Context Protocol (MCP). Threats include tool misuse, where a compromised or confused agent is manipulated into scanning unauthorized directories or exposing sensitive files via path traversal.
Communicates over stdio via MCP, meaning it runs locally within the host environment of the client. Threats include host file system compromise and privilege escalation if the MCP host runs with excessive permissions without container sandboxing.
Not certain from the listing — There is no mention of built-in logging, evaluation frameworks, or guardrails to monitor the queries being made or to detect anomalous scanning behavior.
Lacks independent authentication or authorization mechanisms, relying entirely on the transport layer (stdio) and the host MCP client's security policy to restrict access to its capabilities.
Operates within the MCP ecosystem. Threats include agent-to-agent trust abuse, where a secondary malicious agent interacts with the primary agent to trigger secret scans and harvest credentials from the local environment.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).