AgentReadyHomeAgent Listing

← Met Museum MCP

Met Museum MCP — agentic threat model

3.7AIVSS 3.7 · Low

The Met Museum MCP is a low-risk, read-only connector exposing public museum data, with its primary security concern being indirect prompt injection from external artwork metadata injected into the model context.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 3.1AARS uplift 1.05Factor sum 1.6/10Threat ×0.95Mitigation ×0.9
Autonomy of Action
0.10
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.00
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.10
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent relies on an external LLM to process the MCP tool outputs. The primary threat is model reprogramming or jailbreaking via indirect prompt injection, as the model processes untrusted, external artwork descriptions retrieved from the museum API.

L2 · Data Operations✓ mapped

The agent queries the Met Museum's public open-access API. While data poisoning of the museum's official database is unlikely, any compromised or malicious metadata returned by the API acts as unvalidated external data injected directly into the agent's context window.

L3 · Agent Frameworks✓ mapped

Exposes read-only tools (search, metadata lookup, department browsing) via the Model Context Protocol (MCP). Tool misuse is low-risk due to the read-only nature of the API, but framework vulnerabilities could allow exploitation if the orchestrator does not safely handle the returned JSON payloads.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment of the MCP server is unspecified. Standard risks include insecure local hosting of the MCP server, lack of transport layer security if hosted remotely, and potential exposure of the host system if the MCP runtime itself is compromised.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, input/output filtering, or guardrails to detect if retrieved museum metadata contains malicious injection payloads before they are rendered to the user or model.

L6 · Security & Compliance (cross-cutting)✓ mapped

The tool is open-source and free, with no built-in authentication or authorization mechanisms described. It relies entirely on the host client's security posture and the public, unauthenticated nature of the Met Museum API.

L7 · Agent Ecosystem✓ mapped

Designed as an MCP tool to be consumed by other agents. If integrated into a larger multi-agent system, a compromised or injected museum description could propagate downstream, causing cascading failures or unexpected behavior in orchestrator agents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).