Met Museum MCP — agentic threat model
The Met Museum MCP is a low-risk, read-only connector exposing public museum data, with its primary security concern being indirect prompt injection from external artwork metadata injected into the model context.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent relies on an external LLM to process the MCP tool outputs. The primary threat is model reprogramming or jailbreaking via indirect prompt injection, as the model processes untrusted, external artwork descriptions retrieved from the museum API.
The agent queries the Met Museum's public open-access API. While data poisoning of the museum's official database is unlikely, any compromised or malicious metadata returned by the API acts as unvalidated external data injected directly into the agent's context window.
Exposes read-only tools (search, metadata lookup, department browsing) via the Model Context Protocol (MCP). Tool misuse is low-risk due to the read-only nature of the API, but framework vulnerabilities could allow exploitation if the orchestrator does not safely handle the returned JSON payloads.
Not certain from the listing — The deployment environment of the MCP server is unspecified. Standard risks include insecure local hosting of the MCP server, lack of transport layer security if hosted remotely, and potential exposure of the host system if the MCP runtime itself is compromised.
Not certain from the listing — There is no mention of built-in logging, input/output filtering, or guardrails to detect if retrieved museum metadata contains malicious injection payloads before they are rendered to the user or model.
The tool is open-source and free, with no built-in authentication or authorization mechanisms described. It relies entirely on the host client's security posture and the public, unauthenticated nature of the Met Museum API.
Designed as an MCP tool to be consumed by other agents. If integrated into a larger multi-agent system, a compromised or injected museum description could propagate downstream, causing cascading failures or unexpected behavior in orchestrator agents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).