AgentReadyHomeAgent Listing

← Context7 MCP

Context7 MCP — agentic threat model

7.4AIVSS 7.4 · High

Context7 MCP acts as a high-utility documentation retrieval tool, but its primary risk lies in serving as an untrusted-content vector; if its curated corpus or retrieval pipeline is compromised, it could inject malicious code snippets directly into downstream agent contexts, potentially triggering prompt injection or remote code execution.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.3Factor sum 1.2/10Threat ×1.0Mitigation ×0.95
Autonomy of Action
0.10
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.10
Persistent Memory
0.00
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.20
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Context7 is an MCP tool rather than a foundation model, but the downstream LLMs processing its retrieved snippets are highly vulnerable to indirect prompt injection if malicious content is introduced into the documentation corpus.

L2 · Data Operations✓ mapped

As a RAG-style documentation retriever, the primary threat is data poisoning of the Upstash/Context7 curated library corpus, or embedding inversion/manipulation that causes the server to return malicious or outdated code snippets.

L3 · Agent Frameworks✓ mapped

Integrates via the Model Context Protocol (MCP). The returned snippets represent an untrusted-content surface; if the calling agent framework lacks strict input validation or sandboxing, executing code examples retrieved from this tool could lead to tool misuse or framework compromise.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment model involves an Upstash-hosted server or local MCP execution. Threats include insecure API transport, lack of sandboxing for the retrieval client, and potential exposure of local developer environments.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, content filtering, or observability logging to detect if the retrieved documentation snippets contain malicious payloads or prompt injection vectors.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The listing does not specify authentication mechanisms, access controls, or compliance certifications (like SOC2) for the Upstash-hosted Context7 service.

L7 · Agent Ecosystem✓ mapped

Operating within the MCP ecosystem, a compromise of Context7 represents a supply-chain threat where multiple downstream agents consuming these docs could be simultaneously fed malicious instructions, leading to cascading failures across agentic workflows.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).