AgentReadyHomeAgent Listing

← protect-mcp

protect-mcp — agentic threat model

4.9AIVSS 4.9 · Medium

The protect-mcp agent acts as a highly critical security-enforcing plugin that intercepts and gates tool calls. While its agentic risk is low due to its defensive, policy-driven nature, any compromise of its policy engine or cryptographic signing keys would completely bypass the agent's security boundaries.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.47Factor sum 3.3/10Threat ×0.95Mitigation ×0.55
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.50
Multi-Agent Interactions
0.30
Non-Determinism
0.20
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The plugin operates as an interception layer for Claude Code, but the underlying foundation model's vulnerabilities (such as prompt injection bypassing system instructions) could attempt to generate tool calls designed to exploit or evade the Cedar policy engine.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The plugin focuses on tool-call authorization and cryptographic receipts; it does not explicitly detail RAG, vector databases, or training data operations.

L3 · Agent Frameworks✓ mapped

Directly intercepts the orchestration framework's tool-calling mechanism. It mitigates insecure tool integration and tool misuse by enforcing Cedar authorization policies before any tool execution is allowed to proceed.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — While it runs locally or within the Claude Code environment, the secure storage of Ed25519 private keys used for signing receipts is a critical infrastructure dependency that is not detailed.

L5 · Evaluation & Observability✓ mapped

Provides strong cryptographic observability by emitting Ed25519-signed receipts for every decision. This prevents tampering with audit logs and ensures non-repudiation of tool execution decisions.

L6 · Security & Compliance (cross-cutting)✓ mapped

Acts as a core security and compliance control layer. It implements attribute-based access control (ABAC) via Cedar policies and establishes a cryptographic audit trail, directly addressing identity, authorization, and compliance requirements.

L7 · Agent Ecosystem✓ mapped

Designed as a marketplace plugin to secure agent-to-system interactions. It prevents cascading failures or unauthorized actions when third-party tools or sub-agents are invoked by the primary agent.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).