protect-mcp — agentic threat model
The protect-mcp agent acts as a highly critical security-enforcing plugin that intercepts and gates tool calls. While its agentic risk is low due to its defensive, policy-driven nature, any compromise of its policy engine or cryptographic signing keys would completely bypass the agent's security boundaries.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The plugin operates as an interception layer for Claude Code, but the underlying foundation model's vulnerabilities (such as prompt injection bypassing system instructions) could attempt to generate tool calls designed to exploit or evade the Cedar policy engine.
Not certain from the listing — The plugin focuses on tool-call authorization and cryptographic receipts; it does not explicitly detail RAG, vector databases, or training data operations.
Directly intercepts the orchestration framework's tool-calling mechanism. It mitigates insecure tool integration and tool misuse by enforcing Cedar authorization policies before any tool execution is allowed to proceed.
Not certain from the listing — While it runs locally or within the Claude Code environment, the secure storage of Ed25519 private keys used for signing receipts is a critical infrastructure dependency that is not detailed.
Provides strong cryptographic observability by emitting Ed25519-signed receipts for every decision. This prevents tampering with audit logs and ensures non-repudiation of tool execution decisions.
Acts as a core security and compliance control layer. It implements attribute-based access control (ABAC) via Cedar policies and establishes a cryptographic audit trail, directly addressing identity, authorization, and compliance requirements.
Designed as a marketplace plugin to secure agent-to-system interactions. It prevents cascading failures or unauthorized actions when third-party tools or sub-agents are invoked by the primary agent.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).