AgentReadyHomeAgent Listing

← Codebase Memory MCP

Codebase Memory MCP — agentic threat model

7.4AIVSS 7.4 · High

The Codebase Memory MCP server presents a moderate security risk primarily centered on data confidentiality, as it indexes entire codebases into a persistent knowledge graph accessible by external LLMs and agents. Its agentic risk is low due to its read-oriented, deterministic nature, but it serves as a high-value target for intellectual property theft or codebase reconnaissance.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.95Factor sum 2.7/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.10
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.80
Contextual Awareness
0.50
Dynamic Identity
0.00
Multi-Agent Interactions
0.50
Non-Determinism
0.10
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent is an MCP server (a tool provider) rather than hosting its own foundation model. It integrates with compatible coding tools (which use LLMs), meaning foundation model threats like prompt injection or adversarial examples would target the consuming client rather than this server directly.

L2 · Data Operations✓ mapped

The server indexes repositories into a persistent knowledge graph. This introduces risks of knowledge-base poisoning if malicious or obfuscated code is indexed, and data exfiltration if sensitive code, hardcoded secrets, or proprietary intellectual property is extracted via MCP queries.

L3 · Agent Frameworks✓ mapped

Provides 14 MCP tools for code search, AST analysis, and semantic resolution. Threats include tool misuse (e.g., path traversal to index unauthorized local directories) and insecure tool integration by the consuming agent framework.

L4 · Deployment & Infrastructure✓ mapped

Distributed as a single static binary for macOS, Linux, and Windows with zero dependencies. Running as a local binary means any vulnerability in the parser (tree-sitter) or server could lead to local host compromise or privilege escalation if run with elevated permissions.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, evaluation, guardrails, or monitoring features to detect anomalous query patterns or unauthorized codebase indexing attempts.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The description does not specify any authentication, authorization, or access control mechanisms to restrict which local users or external agents can query the MCP server and access the indexed codebase.

L7 · Agent Ecosystem✓ mapped

Designed specifically to interact with compatible coding tools via the Model Context Protocol (MCP). This creates an agent-to-agent trust boundary where a compromised or rogue coding agent could abuse the MCP tools to perform deep reconnaissance of the codebase structure, call chains, and HTTP routes.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).