AgentReadyHomeAgent Listing

← Context7

Context7 — agentic threat model

7.3AIVSS 7.3 · High

Context7 acts as a high-fidelity documentation and code-example retrieval agent, presenting low direct execution risk but high indirect risk if malicious actors poison the indexed libraries to execute prompt injection or supply-chain attacks through the developer's context.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.3AARS uplift 0.97Factor sum 2.5/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.80
Dynamic Identity
0.10
Multi-Agent Interactions
0.30
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the agent relies on external LLMs via MCP. The primary threat is indirect prompt injection where poisoned documentation retrieved by Context7 hijacks the downstream foundation model's instructions.

L2 · Data Operations✓ mapped

High risk of knowledge-base poisoning. If an attacker compromises or manipulates the upstream package registries or the curated documentation index of thousands of libraries, they can inject malicious code examples or instructions directly into the developer's context.

L3 · Agent Frameworks✓ mapped

The agent uses the Model Context Protocol (MCP) to expose tools. The framework must safely handle schema definitions and prevent tool-calling manipulation where retrieved documentation tricks the orchestrator into executing unintended actions.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — as an open-source/freemium MCP tool, deployment could be local or hosted. If hosted, threats include insecure API endpoints and lack of sandboxing during document parsing; if local, it inherits the developer's local system privileges.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in guardrails, verification of retrieved code snippets, or logging mechanisms to detect if retrieved documentation contains adversarial payloads or malicious code patterns.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — no compliance certifications (like SOC2) or explicit access control policies are mentioned. The open-source nature allows code auditing, but the curation pipeline lacks visible verification standards.

L7 · Agent Ecosystem✓ mapped

Designed specifically to integrate with other agents via MCP. A compromised Context7 agent can act as a vector for cascading failures, feeding malicious code examples or poisoned context to developer-facing coding assistants.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).