OpenAlex MCP — agentic threat model
The OpenAlex MCP tool is a low-risk, read-only connector for querying public scholarly metadata. Its primary security boundary is its lack of write capabilities and sensitive credentials, though it remains a potential vector for indirect prompt injection if malicious academic records are ingested into an LLM's context.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.00 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.10 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.10 | |
| Opacity & Reflexivity | 0.10 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing does not specify the host LLM. However, the primary L1 threat is indirect prompt injection or model reprogramming if the model processes adversarial text embedded within retrieved scholarly publications.
The data is read-only, public scholarly metadata from OpenAlex. The main threat is data poisoning of the upstream catalog (e.g., malicious actors publishing papers with exploit payloads) which are then ingested into the agent's context.
As an MCP tool, it integrates directly into agent frameworks. The primary threat is insecure tool integration, where the orchestrating framework fails to sanitize or limit the size of the retrieved scholarly metadata, leading to context exhaustion or injection.
Not certain from the listing — The deployment environment of the MCP server is not detailed. Standard infrastructure threats include dependency vulnerabilities in the connector code and lack of network sandboxing when querying the OpenAlex API.
Not certain from the listing — There are no mentioned evaluation, logging, or guardrail mechanisms. This creates a blind spot where malicious or anomalous payloads retrieved from the scholarly graph cannot be detected.
The tool requires no authentication credentials beyond a polite-pool email and has no write surface, which inherently limits compliance and authorization risks, though it lacks formal access controls or audit logging.
Designed for agent ecosystems via MCP. The threat involves cascading failures or trust abuse where a downstream agent blindly trusts the scholarly data retrieved by this tool, leading to secondary exploitation.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).