AgentReadyHomeAgent Listing

← CUA MCP Server

CUA MCP Server — agentic threat model

6.5AIVSS 6.5 · Medium

The CUA MCP Server presents a high-risk profile due to its capability for full macOS desktop control and GUI actuation, which is significantly mitigated by its design requirement for sandboxed VM execution.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.77Factor sum 5.1/10Threat ×1.0Mitigation ×0.7
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.80
Dynamic Identity
0.20
Multi-Agent Interactions
0.10
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on external LLMs via the MCP protocol, making it susceptible to prompt injection driving arbitrary desktop actions.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — primarily processes real-time screenshots and input events rather than maintaining a persistent knowledge base or vector store.

L3 · Agent Frameworks✓ mapped

The agent framework exposes highly sensitive OS-level tools (mouse, keyboard, screenshot) to an LLM, creating a high-risk surface where prompt injection can lead to unauthorized tool execution.

L4 · Deployment & Infrastructure✓ mapped

Runs in sandboxed macOS VMs on Apple Silicon. This sandboxing is a critical control to prevent host compromise, though VM escape remains a theoretical threat.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no explicit mention of logging, guardrails, or observability tools to monitor the desktop actions taken by the agent.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — lacks details on authentication, authorization, or policy enforcement mechanisms between the MCP client and server.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — designed as an MCP server for a single LLM/client, with no explicit multi-agent coordination or marketplace features described.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).