adhikasp/mcp-git-ingest — agentic threat model
This agent acts as a read-only bridge to GitHub repositories, presenting a high risk of prompt injection from untrusted repository contents but carrying low direct execution risk due to its lack of write or execution tools.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent relies on an external LLM for analysis. The primary threat is indirect prompt injection where malicious code or instructions embedded in the ingested GitHub repository hijack the host LLM's behavior.
The agent ingests external repository structures and file contents without cloning. This introduces a major data poisoning and prompt-injection surface from untrusted third-party repositories, though it does not maintain its own vector store.
Implements the Model Context Protocol (MCP) to expose repository reading tools. Vulnerabilities could arise if the tool-calling framework fails to sanitize repository paths, potentially leading to path traversal or unauthorized file access.
Not certain from the listing — The deployment environment of the MCP server is unspecified. If run locally or in a shared container, it requires network access to GitHub's API, which must be secured to prevent SSRF or credential leakage.
Not certain from the listing — There are no mentioned logging, auditing, or guardrail mechanisms to detect when ingested repository content contains malicious payloads or exploit attempts targeting the LLM.
Not certain from the listing — The agent lacks explicit authentication, authorization, or rate-limiting controls for accessing private repositories versus public ones, relying entirely on the host environment's configuration.
Designed to be used by other LLMs and agents within an MCP ecosystem. A compromised or malicious upstream agent could abuse this tool to scan internal or sensitive repositories if credentials are misconfigured.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).