AgentReadyHomeAgent Listing

← Docker MCP

Docker MCP — agentic threat model

9.9AIVSS 9.9 · Critical

The Docker MCP agent presents an exceptionally high risk profile because it bridges natural language instructions directly to host-level container orchestration, potentially allowing arbitrary code execution, host filesystem mounting, and network exposure.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.11Factor sum 5.2/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.60
Self-Modification
0.10
Dynamic Tool Use
1.00
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.40
Multi-Agent Interactions
0.30
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying LLM is not specified, but any model driving this agent is highly vulnerable to prompt injection or jailbreaks that could be translated directly into malicious Docker commands (e.g., running privileged containers).

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The agent reads container logs which may contain sensitive runtime secrets, PII, or application data, presenting a high risk of data exfiltration if the agent's output channel is compromised.

L3 · Agent Frameworks✓ mapped

The agent exposes highly sensitive tools (run, stop, compose, log retrieval). Insecure tool integration or lack of strict input validation on container parameters (like volume mounts and port mappings) represents a critical vulnerability.

L4 · Deployment & Infrastructure✓ mapped

Extremely high risk. Because the agent can mount host paths, expose ports, and run privileged images, a compromise of this agent effectively grants broad host-adjacent capabilities and a direct path to host escape.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There are no mentioned guardrails, evaluation frameworks, or anomaly detection systems to monitor whether the container commands issued by the agent are malicious or anomalous.

L6 · Security & Compliance (cross-cutting)✓ mapped

The listing does not mention any authentication, authorization, or policy enforcement mechanisms (such as limiting which images can be run or which host paths can be mounted), indicating a lack of access controls.

L7 · Agent Ecosystem✓ mapped

If integrated into a multi-agent system or exposed to external MCP clients, other compromised or untrusted agents could abuse this agent to gain complete control over the underlying infrastructure.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).