AgentReadyHomeAgent Listing

← carterlasalle/mac_messages_mcp

carterlasalle/mac_messages_mcp — agentic threat model

8.3AIVSS 8.3 · High

This MCP server presents a high-risk profile due to its direct read/write access to the host's macOS iMessage database and the ability to send messages under the user's identity, making it a prime target for prompt injection and data exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.1AARS uplift 0.65Factor sum 3.4/10Threat ×1.0Mitigation ×0.95
Autonomy of Action
0.70
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.10
Contextual Awareness
0.50
Dynamic Identity
0.30
Multi-Agent Interactions
0.10
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not bundle a specific foundation model, but LLMs interacting with it are vulnerable to prompt injection which could force unauthorized message sending or data exfiltration.

L2 · Data Operations✓ mapped

The server directly queries the local macOS iMessage SQLite database (chat.db). This exposes highly sensitive personal and corporate conversation history, making unauthorized data extraction or embedding-based exfiltration a major threat.

L3 · Agent Frameworks✓ mapped

Integrates via the Model Context Protocol (MCP). Vulnerabilities in the orchestrating framework or agent logic could lead to tool misuse, where an LLM is tricked into sending spam or exfiltrating chat history via attachments.

L4 · Deployment & Infrastructure✓ mapped

Runs locally on macOS, requiring Full Disk Access permissions to read the iMessage database. If the host or the MCP client is compromised, this grants deep access to the host's private communication infrastructure.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in logging, guardrails, or evaluation mechanisms are described. Monitoring and anomaly detection depend entirely on the host MCP client's implementation.

L6 · Security & Compliance (cross-cutting)✓ mapped

Lacks built-in fine-grained authorization or user-consent prompts for sending messages or reading database records, relying instead on macOS-level Full Disk Access permissions which are coarse-grained.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — While designed as an MCP tool, there is no explicit multi-agent coordination or marketplace trust model defined beyond standard MCP client-server boundaries.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).