BullRun — agentic threat model
BullRun presents a moderate security risk primarily centered on the exposure of sensitive personal financial portfolio data through its hosted remote MCP endpoint. While protected by OAuth, the handling of user tokens and the potential for unauthorized data exfiltration via LLM tool misuse are key concerns.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — BullRun acts as an MCP server providing tools to external LLMs; the foundation model risk depends entirely on the client LLM used to call these tools.
Accesses personal portfolio data and financial market data. Risks include data exfiltration of sensitive portfolio holdings and potential manipulation of financial data inputs.
Implements MCP tools for financial analysis. Vulnerable to tool misuse if an orchestrating LLM is tricked into executing unauthorized portfolio queries or leaking portfolio data via tool outputs.
Hosted remote service. Risks include container/host compromise, insecure token storage, and exposure of the remote endpoint to unauthorized network traffic.
Not certain from the listing — No explicit logging, auditing, or guardrails are mentioned for tracking MCP tool execution or detecting anomalous portfolio access.
Uses OAuth for protecting the remote endpoint and managing access to personal portfolios. Key risks involve OAuth token leakage, session hijacking, and weak authorization policies.
Designed to integrate into an LLM/agent ecosystem via MCP. Risks include cascading failures if a compromised orchestrator agent abuses BullRun's portfolio analysis tools.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).