AgentReadyHomeAgent Listing

← OpenAlex MCP

OpenAlex MCP — agentic threat model

2.9AIVSS 2.9 · Low

The OpenAlex MCP tool is a low-risk, read-only connector for querying public scholarly metadata. Its primary security boundary is its lack of write capabilities and sensitive credentials, though it remains a potential vector for indirect prompt injection if malicious academic records are ingested into an LLM's context.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 3.1AARS uplift 0.52Factor sum 0.8/10Threat ×0.95Mitigation ×0.8
Autonomy of Action
0.10
Goal-Driven Planning
0.00
Self-Modification
0.00
Dynamic Tool Use
0.10
Persistent Memory
0.00
Contextual Awareness
0.20
Dynamic Identity
0.10
Multi-Agent Interactions
0.10
Non-Determinism
0.10
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not specify the host LLM. However, the primary L1 threat is indirect prompt injection or model reprogramming if the model processes adversarial text embedded within retrieved scholarly publications.

L2 · Data Operations✓ mapped

The data is read-only, public scholarly metadata from OpenAlex. The main threat is data poisoning of the upstream catalog (e.g., malicious actors publishing papers with exploit payloads) which are then ingested into the agent's context.

L3 · Agent Frameworks✓ mapped

As an MCP tool, it integrates directly into agent frameworks. The primary threat is insecure tool integration, where the orchestrating framework fails to sanitize or limit the size of the retrieved scholarly metadata, leading to context exhaustion or injection.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment of the MCP server is not detailed. Standard infrastructure threats include dependency vulnerabilities in the connector code and lack of network sandboxing when querying the OpenAlex API.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There are no mentioned evaluation, logging, or guardrail mechanisms. This creates a blind spot where malicious or anomalous payloads retrieved from the scholarly graph cannot be detected.

L6 · Security & Compliance (cross-cutting)✓ mapped

The tool requires no authentication credentials beyond a polite-pool email and has no write surface, which inherently limits compliance and authorization risks, though it lacks formal access controls or audit logging.

L7 · Agent Ecosystem✓ mapped

Designed for agent ecosystems via MCP. The threat involves cascading failures or trust abuse where a downstream agent blindly trusts the scholarly data retrieved by this tool, leading to secondary exploitation.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).