← MCP yfinance Server (9nate-drake)
MCP yfinance Server (9nate-drake) — agentic threat model
The MCP yfinance Server has a very low risk profile due to its read-only nature and reliance on public data with no credentials. The primary risk is downstream, where other agents relying on its unverified market data could make flawed financial decisions if the data is manipulated or inaccurate.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.00 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.10 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.10 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.10 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — This is an MCP tool server rather than a foundation model. However, the calling LLM could be susceptible to prompt injection that forces it to misinterpret or hallucinate the financial data returned by this server.
The server fetches live, unverified market data from Yahoo Finance via the yfinance library. The primary threat is data poisoning or upstream manipulation of Yahoo Finance data, which is passed directly to the agent without verification.
Exposes read-only tools via the Model Context Protocol (MCP). Threats include input validation failures if the calling agent passes malformed ticker symbols, or framework-level vulnerabilities if the tool's JSON output is not properly parsed.
Not certain from the listing — The deployment environment (local or cloud container) is not specified. Standard infrastructure threats like local network exposure or dependency vulnerabilities in the underlying python-yfinance package apply.
Not certain from the listing — There is no mention of built-in logging, rate-limiting, or output guardrails. Downstream agents must implement their own validation to detect anomalous or drifted market data.
The tool is entirely read-only and requires no API keys or authentication. While this eliminates credential theft risks, it lacks access controls, audit trails, or policy enforcement to govern which agents can query the data.
Designed to integrate into broader agent ecosystems via MCP. A compromised or rogue agent could abuse this tool to spam requests (leading to IP bans by Yahoo Finance) or propagate unverified financial data to trigger cascading automated trading failures.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).