AgentReadyHomeAgent Listing

← 1Password MCP Server (Environments)

1Password MCP Server (Environments) — agentic threat model

5.4AIVSS 5.4 · Medium

The 1Password MCP Server acts as a highly sensitive bridge to credential environments, but mitigates severe agentic risk by design through strict per-action authorization prompts and by keeping actual secret values entirely out of the LLM's context.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.58Factor sum 3.7/10Threat ×1.05Mitigation ×0.6
Autonomy of Action
0.20
Goal-Driven Planning
0.30
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.90
Multi-Agent Interactions
0.50
Non-Determinism
0.20
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The 1Password MCP server is model-agnostic and runs on the client's chosen LLM (e.g., via Codex or Kiro). The primary L1 threat is prompt injection attempting to trick the model into leaking secrets, which is mitigated here by never exposing the actual secret values to the model's context in the first place.

L2 · Data Operations✓ mapped

The agent manages configuration and secret references rather than raw data stores. By design, actual secret payloads are kept out of the agent's context and vector memory, preventing data exfiltration or embedding inversion of sensitive credentials.

L3 · Agent Frameworks✓ mapped

Integrates as an MCP tool. The framework-level threat of tool misuse (e.g., an LLM autonomously calling a write/delete credential tool maliciously) is directly mitigated by requiring secure, out-of-band per-action authorization prompts before executing any sensitive tool call.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment security depends on the host running the MCP client and server. If the local host or container running the 1Password MCP server is compromised, an attacker could potentially intercept local MCP communication or bypass local authorization prompts.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The listing does not detail specific logging, auditing, or anomaly detection mechanisms for the MCP server's operations, though 1Password enterprise environments typically offer centralized audit trails.

L6 · Security & Compliance (cross-cutting)✓ mapped

Strongly addressed through zero-trust principles. The architecture enforces strict identity and authorization boundaries via per-action user confirmation prompts, ensuring the agent cannot act as an autonomous superuser without explicit human-in-the-loop validation.

L7 · Agent Ecosystem✓ mapped

Designed for multi-agent environments (e.g., Codex, Kiro). It prevents cascading failures or lateral privilege escalation by ensuring that even if a downstream agent is compromised, it cannot extract raw secrets from this MCP server without triggering user-facing authorization prompts.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).