Docker MCP — agentic threat model
The Docker MCP agent presents an exceptionally high risk profile because it bridges natural language instructions directly to host-level container orchestration, potentially allowing arbitrary code execution, host filesystem mounting, and network exposure.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 1.00 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying LLM is not specified, but any model driving this agent is highly vulnerable to prompt injection or jailbreaks that could be translated directly into malicious Docker commands (e.g., running privileged containers).
Not certain from the listing — The agent reads container logs which may contain sensitive runtime secrets, PII, or application data, presenting a high risk of data exfiltration if the agent's output channel is compromised.
The agent exposes highly sensitive tools (run, stop, compose, log retrieval). Insecure tool integration or lack of strict input validation on container parameters (like volume mounts and port mappings) represents a critical vulnerability.
Extremely high risk. Because the agent can mount host paths, expose ports, and run privileged images, a compromise of this agent effectively grants broad host-adjacent capabilities and a direct path to host escape.
Not certain from the listing — There are no mentioned guardrails, evaluation frameworks, or anomaly detection systems to monitor whether the container commands issued by the agent are malicious or anomalous.
The listing does not mention any authentication, authorization, or policy enforcement mechanisms (such as limiting which images can be run or which host paths can be mounted), indicating a lack of access controls.
If integrated into a multi-agent system or exposed to external MCP clients, other compromised or untrusted agents could abuse this agent to gain complete control over the underlying infrastructure.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).