← Model Context Protocol (MCP)
Model Context Protocol (MCP) — agentic threat model
As an open-source protocol connecting LLMs to external data and tools, MCP presents a high-impact risk profile where prompt injection can be leveraged to execute unauthorized tool actions or exfiltrate sensitive connected data.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — MCP is model-agnostic, but foundation model vulnerabilities like prompt injection can directly exploit the protocol to access connected data sources or trigger tools.
MCP directly facilitates data operations by bridging LLMs and external data sources, making it a prime target for data exfiltration, unauthorized access, and downstream knowledge-base poisoning.
As an integration protocol, MCP's primary risk lies in insecure tool integration and tool misuse, where an LLM might be manipulated into calling sensitive MCP-exposed tools with malicious parameters.
Not certain from the listing — The security of the deployment layer depends entirely on how the MCP host and servers are sandboxed, network-isolated, and credential-managed in production.
Not certain from the listing — The protocol description does not specify built-in logging, auditing, or guardrails, which may lead to observability blind spots during anomalous tool execution.
Not certain from the listing — Implementing robust authentication, authorization, and transport security between MCP clients and servers is critical but depends on the adopter's implementation.
MCP establishes an interoperable ecosystem of tools and data; a single compromised or rogue MCP server can lead to cascading trust abuse and horizontal compromise across connected agent systems.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.