conan-io/conan-mcp — agentic threat model
This agent acts as a bridge between AI workflows and C/C++ package management, introducing significant supply-chain risks if allowed to execute unverified dependency resolution or project scaffolding without strict human-in-the-loop validation.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent relies on external LLMs via the Model Context Protocol (MCP). The primary threat is prompt injection leading to unauthorized tool execution, such as forcing the agent to fetch malicious C/C++ dependencies or bypass license checks.
The agent interacts with Conan package registries and local project files. Key threats include dependency confusion attacks, local cache poisoning, and the exfiltration of proprietary C/C++ source code or build configurations during dependency resolution.
The MCP server exposes tools for project scaffolding, dependency management, and vulnerability scanning. Insecure tool integration could allow an attacker to manipulate command-line arguments passed to the Conan CLI, leading to arbitrary command execution on the host.
Not certain from the listing — The deployment environment of the MCP server is unspecified. If run locally or in an unsandboxed container, a compromise of the Conan agent could lead to host file system access, privilege escalation, and lateral network movement.
Not certain from the listing — There is no mention of built-in guardrails, logging, or observability for the MCP tool calls. A lack of audit trails for dependency changes or vulnerability scan overrides represents a significant blind spot.
The agent performs license checking and vulnerability scanning, which are critical for compliance. However, there are no apparent access control mechanisms or policy enforcement engines to prevent the agent from installing non-compliant packages.
As an MCP tool, this agent is designed to be orchestrated by other agents. A compromised orchestrator could abuse this agent to inject malicious dependencies into a software supply chain, cascading the compromise to downstream systems.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).