
AI Surface Report
────────────────────────────────────────────────────────────────────────────────
Scanned: demo-app
12 production AI surfaces · 13 risk indicators · across 6 detector(s)

LLM SDK CALL SITES
  • Anthropic SDK
      Models: claude-3-5-sonnet-20241022                                        
      → src/llm_service.py                                                      
      ⚠ non-literal data flows into LLM call                                    
      → validate this surface                                                   
  • OpenAI SDK
      Models: gpt-4-turbo                                                       
      → src/llm_service.py                                                      
      ⚠ non-literal data flows into LLM call                                    
      → validate this surface                                                   
  • AWS Bedrock
      Models: us.anthropic.claude-sonnet-4-20250514-v1:0                        
      → src/support_workflow.py                                                 

AGENT FRAMEWORKS
  • AWS Strands Agent: triage_agent (in src/support_workflow.py)
      Tools/perms: fetch_customer_profile, search_knowledge_base,               
    escalate_to_human                                                           
      → src/support_workflow.py                                                 
  • LangChain Agent: support_agent (in src/chat_agent.py)
      Tools/perms: lookup_order, refund_payment, cancel_subscription            
      → src/chat_agent.py                                                       
      ⚠ financial action exposed                                                
      ⚠ high blast-radius combination                                           
      → validate this surface                                                   

MCP SERVERS
  • MCP Server: github-mcp
      Tools/perms: repo:read, issues:write, admin                               
      → .mcp.json                                                               
      ⚠ broad permissions                                                       
      → validate this surface                                                   
  • MCP Server: stripe-mcp
      Tools/perms: read_charges, refund, customer:read                          
      → .mcp.json                                                               
      ⚠ financial action exposed                                                
      → validate this surface                                                   
  • MCP Server (in-house): src/orders_mcp_server.py
      Tools/perms: lookup_order, refund_payment, cancel_order, delete_customer, 
    update_record                                                               
      → src/orders_mcp_server.py                                                
      ⚠ in-house MCP server (custom code, audit recommended)                    
      ⚠ financial action exposed                                                
      → validate this surface                                                   

MODEL GATEWAYS
  • Model Gateway: LiteLLM
      Tools/perms: claude-sonnet-4, gpt-4, bedrock-claude                       
      → litellm.config.yaml                                                     
      ⚠ multi-model routing layer (production traffic flows through this)       
      → validate this surface                                                   

AI INFRASTRUCTURE
  • K8s AI Workload: vllm (in deploy/vllm-embeddings.yaml)
      → deploy/vllm-embeddings.yaml                                             
      ⚠ self-hosted LLM runtime (operational responsibility on the team)        
      → validate this surface                                                   
  • Bedrock provisioned throughput: anthropic.claude-sonnet-4-20250514-v1:0
      → deploy/bedrock.tf                                                       
      ⚠ high-cost AI infrastructure (billing exposure)                          
      → validate this surface                                                   

AI PROVIDER API KEYS
  • AI Provider API Keys
      → .env.example                                                            
      ⚠ multiple AI provider keys present                                       
      ⚠ observability/tracing key present (production telemetry to third party) 
      → validate this surface                                                   

────────────────────────────────────────────────────────────────────────────────
Risk indicators (13):
  ⚠ MCP Server: github-mcp: broad permissions
  ⚠ MCP Server: stripe-mcp: financial action exposed
  ⚠ MCP Server (in-house): src/orders_mcp_server.py: in-house MCP server (custom
code, audit recommended)
  ⚠ MCP Server (in-house): src/orders_mcp_server.py: financial action exposed
  ⚠ Anthropic SDK: non-literal data flows into LLM call
  ⚠ OpenAI SDK: non-literal data flows into LLM call
  ⚠ LangChain Agent: support_agent (in src/chat_agent.py): financial action 
exposed
  ⚠ LangChain Agent: support_agent (in src/chat_agent.py): high blast-radius 
combination
  ⚠ AI Provider API Keys: multiple AI provider keys present
  ⚠ AI Provider API Keys: observability/tracing key present (production 
telemetry to third party)
  ⚠ Model Gateway: LiteLLM: multi-model routing layer (production traffic flows 
through this)
  ⚠ K8s AI Workload: vllm (in deploy/vllm-embeddings.yaml): self-hosted LLM 
runtime (operational responsibility on the team)
  ⚠ Bedrock provisioned throughput: anthropic.claude-sonnet-4-20250514-v1:0: 
high-cost AI infrastructure (billing exposure)

────────────────────────────────────────────────────────────────────────────────
For source-level analysis of mcp servers (shell injection, etc.): mcp-audit
Validate which surfaces are exploitable: apisec.ai/ai-validation

