AgentReadyHomeAgent Listing

← alexei-led/aws-mcp-server

alexei-led/aws-mcp-server — agentic threat model

7.9AIVSS 7.9 · High

The agent presents an extremely high risk profile due to its capability to execute arbitrary AWS CLI commands and Unix pipes, potentially allowing full control over cloud infrastructure if credentials are over-privileged. While the Dockerized sandbox provides host-level isolation, it does not prevent logical abuse of AWS APIs.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.11Factor sum 5.0/10Threat ×1.1Mitigation ×0.8
Autonomy of Action
0.70
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.40
Dynamic Identity
0.80
Multi-Agent Interactions
0.30
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the specific foundation models used to drive this MCP server are not defined, though they are vulnerable to prompt injection that could lead to unauthorized AWS CLI execution.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — no specific vector databases or training data pipelines are mentioned, though the agent can read/write data from AWS services (like S3) via the CLI.

L3 · Agent Frameworks✓ mapped

The agent uses the Model Context Protocol (MCP) to expose highly sensitive tools (AWS CLI and Unix pipes). The primary threat is tool misuse, where an LLM is manipulated into executing destructive commands or exfiltrating data.

L4 · Deployment & Infrastructure✓ mapped

The agent runs in a Dockerized sandbox to mitigate host-level compromise. However, the primary infrastructure threat is the exposure of AWS credentials and potential lateral movement within the AWS cloud environment.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of logging, monitoring, or guardrails to detect or block malicious AWS CLI commands before execution.

L6 · Security & Compliance (cross-cutting)✓ mapped

Credential scope is highlighted as a significant security surface. Strict IAM policies (least privilege) and robust authentication are required to prevent the agent from abusing its AWS access.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — multi-agent orchestration is not explicitly detailed, though exposing AWS CLI tools to an ecosystem of agents increases the risk of cascading authorization abuse.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).