AgentReadyHomeAgent Listing

← adhikasp/mcp-git-ingest

adhikasp/mcp-git-ingest — agentic threat model

7.0AIVSS 7.0 · High

This agent acts as a read-only bridge to GitHub repositories, presenting a high risk of prompt injection from untrusted repository contents but carrying low direct execution risk due to its lack of write or execution tools.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.3AARS uplift 0.7Factor sum 1.8/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.00
Contextual Awareness
0.50
Dynamic Identity
0.10
Multi-Agent Interactions
0.20
Non-Determinism
0.20
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent relies on an external LLM for analysis. The primary threat is indirect prompt injection where malicious code or instructions embedded in the ingested GitHub repository hijack the host LLM's behavior.

L2 · Data Operations✓ mapped

The agent ingests external repository structures and file contents without cloning. This introduces a major data poisoning and prompt-injection surface from untrusted third-party repositories, though it does not maintain its own vector store.

L3 · Agent Frameworks✓ mapped

Implements the Model Context Protocol (MCP) to expose repository reading tools. Vulnerabilities could arise if the tool-calling framework fails to sanitize repository paths, potentially leading to path traversal or unauthorized file access.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment of the MCP server is unspecified. If run locally or in a shared container, it requires network access to GitHub's API, which must be secured to prevent SSRF or credential leakage.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There are no mentioned logging, auditing, or guardrail mechanisms to detect when ingested repository content contains malicious payloads or exploit attempts targeting the LLM.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The agent lacks explicit authentication, authorization, or rate-limiting controls for accessing private repositories versus public ones, relying entirely on the host environment's configuration.

L7 · Agent Ecosystem✓ mapped

Designed to be used by other LLMs and agents within an MCP ecosystem. A compromised or malicious upstream agent could abuse this tool to scan internal or sensitive repositories if credentials are misconfigured.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).