AgentReadyHomeAgent Listing

← mcp-tunnels

mcp-tunnels — agentic threat model

8.0AIVSS 8.0 · High

mcp-tunnels presents a high-risk infrastructure profile due to its capability to execute shell commands, manage Docker containers, and establish network tunnels exposing private local resources to external LLMs.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.41Factor sum 2.5/10Threat ×1.1Mitigation ×0.9
Autonomy of Action
0.40
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.10
Contextual Awareness
0.20
Dynamic Identity
0.30
Multi-Agent Interactions
0.20
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the plugin itself is a utility command and does not specify the underlying foundation model, though it is designed to connect private servers to Claude.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — the tool focuses on network tunneling and configuration generation rather than managing training data or vector stores.

L3 · Agent Frameworks✓ mapped

The plugin orchestrates tool integration by exposing local MCP servers to Claude. Risks include insecure tool integration if the generated proxy configurations or certificates are weak or misconfigured.

L4 · Deployment & Infrastructure✓ mapped

High risk. The tool runs docker/cloudflared shell steps, generates certificates, and sets up network tunnels. Compromise could lead to container escape, unauthorized network exposure, or lateral movement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in guardrails, logging, or anomaly detection for the established tunnels beyond the 'verifiable' sample server.

L6 · Security & Compliance (cross-cutting)✓ mapped

Generates certificates and proxy configurations to secure the tunnel. However, running shell steps and managing local Docker containers requires strict local access controls and compliance auditing.

L7 · Agent Ecosystem✓ mapped

Facilitates agent-to-infrastructure communication by exposing local MCP servers to Claude. Vulnerabilities here could allow rogue external agents to abuse the tunnel to access private local resources.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).