AgentReadyHomeAgent Listing

← PubMed MCP

PubMed MCP — agentic threat model

5.9AIVSS 5.9 · Medium

The PubMed MCP agent presents a low-to-moderate risk profile, acting as a read-only gateway to public biomedical literature. Its primary security exposure is indirect prompt injection from untrusted external text fetched into the host LLM's context.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 4.8AARS uplift 1.09Factor sum 2.1/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.00
Contextual Awareness
0.50
Dynamic Identity
0.10
Multi-Agent Interactions
0.20
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

The primary threat is indirect prompt injection. Because the tool fetches untrusted full-text and abstracts from PubMed and injects them directly into the model context, a malicious paper could contain adversarial instructions designed to hijack or reprogram the LLM.

L2 · Data Operations✓ mapped

Data is sourced from the public NCBI PubMed database. While direct database poisoning is difficult due to NCBI's curation, attackers could theoretically publish peer-reviewed or preprint papers containing malicious payloads designed to target LLM-based researchers.

L3 · Agent Frameworks✓ mapped

The tool integrates via the Model Context Protocol (MCP). Vulnerabilities include insecure tool integration where the orchestrating agent fails to sanitize inputs sent to the NCBI API, or fails to handle malformed API responses safely.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment of this MCP server is unspecified. Standard risks include container compromise, lack of network sandboxing, and potential SSRF if the server can be coerced into calling non-NCBI endpoints.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There are no mentioned guardrails, content filtering, or logging mechanisms to detect if retrieved biomedical text contains malicious instructions or prompt injections before passing them to the model.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The tool does not specify authentication or authorization controls for accessing the MCP server itself, though NCBI E-utilities may require an API key for rate limiting.

L7 · Agent Ecosystem✓ mapped

As an open-source MCP tool, it is designed to be plugged into broader agent ecosystems. A compromised orchestrating agent could abuse this tool to perform denial-of-service attacks against NCBI or leak context data through search queries.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).