Blender — agentic threat model
The Blender MCP agent presents a critical security risk due to its core design of executing LLM-generated Python code directly within a local Blender instance with local privileges. Without robust sandboxing or input validation, this path is highly susceptible to prompt injection leading to arbitrary local code execution.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing does not specify which foundation model is used, but any connected LLM is vulnerable to prompt injection that could be leveraged to generate malicious Python code.
Not certain from the listing — No details on RAG or vector databases are provided, though the asset import feature could potentially be abused to load malicious external files if paths are not restricted.
The agent framework translates natural language into Python scripts and executes them directly inside Blender. This direct tool-use mechanism lacks validation, making it highly vulnerable to arbitrary code execution via prompt injection.
The agent runs Python code directly within a local Blender instance with local user privileges. Without containerization or strict sandboxing, this allows host-level compromise, local file system access, and potential lateral movement.
Not certain from the listing — There is no mention of guardrails, logging, or execution monitoring to intercept or audit harmful Python code before it runs in the Blender environment.
Not certain from the listing — No authentication, authorization, or policy enforcement mechanisms are described to restrict what Python commands or system calls can be executed.
Not certain from the listing — While it uses the Model Context Protocol (MCP) to connect to hosts, there is no specific detail on multi-agent trust boundaries or marketplace interactions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).