Whois MCP — agentic threat model
The Whois MCP agent is a low-risk, read-only utility designed for OSINT and threat intelligence enrichment. Its primary security exposure lies in potential tool misuse or SSRF-like behavior if queried domains/IPs are not properly sanitized before external lookup.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.10 | |
| Opacity & Reflexivity | 0.10 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent relies on an external host LLM via the Model Context Protocol (MCP). The primary L1 risk is indirect prompt injection where malicious WHOIS record payloads could manipulate the calling LLM's behavior during enrichment.
The agent does not maintain a vector database or local training data. Data operations are transient, fetching external WHOIS/ASN records. Risks include data poisoning of upstream WHOIS registries or spoofed responses.
Exposes WHOIS lookup tools to an MCP host. Risks include insecure tool integration where unvalidated user inputs are passed directly to WHOIS client libraries, potentially leading to command injection or path traversal depending on the underlying implementation.
Not certain from the listing — The deployment environment depends on how the user hosts the MCP server. If unsandboxed, network requests to port 43 (WHOIS) could be abused to probe internal networks or bypass egress controls.
Not certain from the listing — There is no mention of built-in logging, rate-limiting, or input validation guardrails to monitor query volume or detect abusive/malicious lookup patterns.
Not certain from the listing — The tool operates as a free, open-source utility without built-in authentication or access control policies, relying entirely on the parent MCP host framework for security compliance.
Designed to be integrated into larger agentic workflows (e.g., threat intel pipelines). A compromised orchestrator or upstream agent could abuse this tool to perform mass reconnaissance or trigger rate-limiting blocks on the hosting IP.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).