AgentReadyHomeAgent Listing

← Ramp MCP

Ramp MCP — agentic threat model

8.7AIVSS 8.7 · High

Ramp MCP exposes highly sensitive corporate financial and transaction data to LLM agents via the Model Context Protocol. Its risk profile is heavily dependent on the API token scopes, with potential for severe data exfiltration or unauthorized financial actions if compromised.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.63Factor sum 4.0/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.50
Goal-Driven Planning
0.30
Self-Modification
0.00
Dynamic Tool Use
0.70
Persistent Memory
0.10
Contextual Awareness
0.50
Dynamic Identity
0.40
Multi-Agent Interactions
0.60
Non-Determinism
0.40
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on external LLMs via MCP. Risks include prompt injection leading to unauthorized financial queries or misaligned financial advice.

L2 · Data Operations✓ mapped

Accesses corporate spend and transaction data via Ramp's Developer API. Risks include data exfiltration of sensitive financial records and unauthorized RAG/context injection.

L3 · Agent Frameworks✓ mapped

Integrates as an MCP tool. Risks include tool misuse (e.g., an orchestrating agent calling the Ramp API with malicious parameters) and insecure tool execution.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — deployment depends on how the MCP server is hosted (local vs. cloud). Risks include exposed API keys/secrets and lack of sandboxing for the MCP host.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — lacks explicit details on audit logging of API calls or LLM guardrails to prevent leakage of financial data.

L6 · Security & Compliance (cross-cutting)✓ mapped

Security relies heavily on Ramp Developer API scopes and token management. Compliance risks include exposure of PCI/PII data and lack of strict OAuth/access controls.

L7 · Agent Ecosystem✓ mapped

Part of the MCP ecosystem where other agents can call this tool. Risks include cascading failures if an upstream compromised agent abuses the Ramp MCP tool to extract financial data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).