Atlassian Rovo MCP Server — agentic threat model
The Atlassian Rovo MCP Server introduces significant agentic risk by exposing read/write capabilities across Jira, Confluence, and Compass via OAuth, creating a high-impact target for prompt injection and unauthorized data mutation.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is not specified, but the agent is highly vulnerable to indirect prompt injection via malicious content stored in Jira issues or Confluence pages that the model processes.
Acts as a direct bridge to enterprise knowledge bases (Confluence, Jira). Threats include data exfiltration of sensitive corporate IP and knowledge-base poisoning if the agent writes malicious or inaccurate data back to these systems.
The MCP framework orchestrates tool execution for searching, reading, creating, and updating tickets and pages. Insecure tool integration or lack of strict input validation can lead to arbitrary write actions or unauthorized state changes.
Not certain from the listing — The hosting environment of the MCP server and the client agent is unspecified, but secure handling of OAuth tokens and transport-layer security are critical to prevent token theft and lateral movement.
Not certain from the listing — There is no mention of built-in guardrails, real-time monitoring, or transaction logging to detect anomalous tool calls or malicious prompt injection payloads before they execute write operations.
Relies on OAuth-scoped remote access for identity and authorization. Risk of over-granted tokens allowing the agent to mutate project data beyond the user's intended scope if fine-grained access controls are not enforced.
Designed to interface with other AI agents via the Model Context Protocol (MCP). This introduces risks of cascading failures and trust abuse if a compromised upstream agent orchestrates malicious calls through this server.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).