AgentReadyHomeAgent Listing

← Alby Bitcoin Payments MCP

Alby Bitcoin Payments MCP — agentic threat model

9.4AIVSS 9.4 · Critical

The Alby Bitcoin Payments MCP presents a high-risk profile due to its direct control over spendable Bitcoin Lightning wallets, where a lack of built-in transaction limits or mandatory human-in-the-loop confirmations could allow a compromised agent to instantly drain funds.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.9AARS uplift 0.5Factor sum 4.1/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.90
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.70
Multi-Agent Interactions
0.60
Non-Determinism
0.20
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not specify the underlying LLM or foundation model used by the MCP host, though adversarial prompt injection against the host model is a primary vector to trigger unauthorized payment tools.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No details are provided regarding data operations, RAG, or vector stores used by this specific MCP tool.

L3 · Agent Frameworks✓ mapped

The agent framework layer is highly critical here as this is an MCP tool. Insecure tool integration or lack of strict input validation on the orchestrator side could allow malicious prompt injections to craft unauthorized payment instructions (e.g., changing destination addresses or amounts).

L4 · Deployment & Infrastructure✓ mapped

The MCP server runs locally or in a hosted environment, requiring secure storage of wallet credentials, private keys, or API tokens. Compromise of the host environment would lead to direct exposure of these secrets and total wallet compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The listing does not mention built-in transaction logging, anomaly detection, or guardrails to monitor and block suspicious payment patterns.

L6 · Security & Compliance (cross-cutting)✓ mapped

Security and compliance are central concerns, specifically the scope of wallet connection permissions and the enforcement of payment confirmations (Human-in-the-Loop). Without explicit policy enforcement at this layer, the tool remains highly vulnerable to abuse.

L7 · Agent Ecosystem✓ mapped

Because this tool connects wallets directly to agents, it operates in a multi-agent ecosystem where a secondary, compromised, or malicious agent could interact with the host agent and abuse the payment tool via agent-to-agent trust exploitation.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).