MCP.so — agentic threat model
MCP.so is a directory platform for Model Context Protocol tools rather than an active autonomous agent, presenting low direct agentic risk but serving as a potential vector for supply chain attacks if malicious tools are listed.
OWASP AIVSS score rationale
| Autonomy of Action | 0.00 | |
| Goal-Driven Planning | 0.00 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.00 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.10 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.10 | |
| Opacity & Reflexivity | 0.10 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The platform is a directory and does not explicitly state if it uses foundation models for search or curation, though adversarial inputs to search queries could theoretically target underlying LLMs if used.
Not certain from the listing — The platform manages metadata for over 16,000 tools. Threats include data poisoning where malicious actors submit deceptive metadata or links to compromise downstream users.
Not certain from the listing — MCP.so is a directory of agent tools rather than an active agent framework executing orchestration, planning, or tool-calling itself.
Not certain from the listing — Standard web hosting and database infrastructure are assumed. Threats include typical web vulnerabilities, unauthorized database access, and denial of service.
Not certain from the listing — No evaluation, guardrails, or observability mechanisms are described beyond basic curation to remove low-quality or duplicate entries.
Not certain from the listing — No specific security controls, access management, or compliance frameworks are mentioned for the directory platform.
As a major marketplace/directory for the MCP ecosystem, the primary threat is ecosystem-level supply chain compromise, where malicious or compromised MCP servers are listed and subsequently integrated into users' agent workflows.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.