Clerk MCP Server — agentic threat model
The Clerk MCP Server is a low-risk, read-only documentation and SDK retrieval tool, presenting minimal agentic risk but acting as a potential vector for indirect prompt injection if retrieved documentation is poisoned.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the MCP server itself does not host a foundation model, but acts as a utility for external LLMs. The primary risk is the host LLM executing adversarial instructions embedded in retrieved documentation snippets.
The core function is fetching Clerk auth docs and SDK snippets. The primary threat is data poisoning of the source documentation or man-in-the-middle attacks altering the retrieved snippets, leading to insecure code generation.
Integrates via the Model Context Protocol (MCP). Vulnerabilities include insecure tool integration where the calling agent treats the fetched documentation as implicitly trusted, executable context.
Not certain from the listing — details about the hosting environment of the remote MCP server are omitted. Risks include exposed API endpoints and lack of transport layer security during document retrieval.
Not certain from the listing — there is no mention of logging, telemetry, or verification of retrieved content. Gaps here could allow silent modification of documentation payloads to go unnoticed.
The tool provides authentication documentation but does not appear to enforce strict access controls or cryptographic verification (e.g., signed content) on the retrieved SDK snippets themselves.
Designed to be consumed by other agents building auth flows. A compromised or poisoned MCP server could propagate insecure authentication patterns or malicious code snippets to multiple downstream developer agents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).