AgentReadyHomeAgent Listing

← Desktop Commander MCP

Desktop Commander MCP — agentic threat model

8.4AIVSS 8.4 · High

Desktop Commander MCP presents an extremely high agentic risk profile due to its ability to execute arbitrary terminal commands, manage local processes, and perform full filesystem operations. While audit logging provides traceability, a compromise of the connecting LLM client could lead to complete host takeover.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.11Factor sum 4.8/10Threat ×1.1Mitigation ×0.85
Autonomy of Action
0.80
Goal-Driven Planning
0.60
Self-Modification
0.30
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.20
Multi-Agent Interactions
0.30
Non-Determinism
0.60
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing describes an MCP server that interfaces with external AI clients, meaning the foundation model's vulnerabilities (adversarial prompt injection, alignment) depend entirely on the client LLM chosen by the user.

L2 · Data Operations✓ mapped

High risk of data exfiltration and unauthorized modification. The tool has full filesystem access (read/write, recursive search, Excel/PDF manipulation), allowing a compromised client to access or corrupt sensitive local files.

L3 · Agent Frameworks✓ mapped

Critical risk of tool misuse. By exposing terminal automation, process control, and diff-based file editing directly to an LLM, any prompt injection on the client side can be translated into arbitrary local code execution.

L4 · Deployment & Infrastructure✓ mapped

Severe infrastructure risk. Because this runs locally in the user's development environment, a compromise of the MCP server or its client directly exposes the host operating system, local network, and user credentials.

L5 · Evaluation & Observability✓ mapped

The tool includes comprehensive audit logging of tool calls for traceability, which helps mitigate blind spots, but it lacks active runtime guardrails or anomaly detection to block malicious commands before execution.

L6 · Security & Compliance (cross-cutting)✓ mapped

While it claims 'controlled access' and provides audit logs, there is no mention of robust local authentication, role-based access control (RBAC), or sandboxing to restrict what the terminal commands can execute.

L7 · Agent Ecosystem✓ mapped

As an MCP server, it is designed to be plugged into various agent ecosystems. This introduces agent-to-agent trust abuse risks, where a secondary compromised agent could command this server to execute malicious local payloads.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).