DevDocs — agentic threat model
DevDocs serves as a local MCP server for documentation retrieval, presenting a significant indirect prompt injection vector where crawling untrusted external sites can poison the local store and compromise downstream developer agents.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — DevDocs is an MCP server and utility rather than a foundation model, though it formats context destined for downstream LLMs.
High risk of data/knowledge-base poisoning. Since the tool crawls untrusted external documentation sites, attackers can place malicious instructions or indirect prompt injections in public docs to compromise the local vector store.
Insecure tool integration risk. As an MCP server, vulnerabilities in how it parses, structures, and serves crawled context could allow malicious payloads to exploit the consuming agent's orchestration framework.
Local hosting risks. Running as a local UI-based server introduces risks of local path traversal, insecure file permissions on the local store, and Server-Side Request Forgery (SSRF) via the crawler.
Not certain from the listing — there is no mention of built-in guardrails, input sanitization, or anomaly detection to filter out malicious content during the crawling and indexing phase.
Not certain from the listing — while it specifies 'private local storage', it is unclear what authentication, authorization, or access control mechanisms govern which local agents can query the MCP server.
High ecosystem risk. DevDocs is explicitly built to feed context to other agents. A single poisoned document in DevDocs can propagate malicious instructions horizontally to multiple developer agents in the ecosystem.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).