AgentReadyHomeAgent Listing

← Docker

Docker — agentic threat model

9.9AIVSS 9.9 · Critical

The Docker MCP server presents an extremely high-risk profile because it grants an LLM direct, unmitigated control over the local Docker daemon. A compromise or prompt injection can easily lead to full host takeover via privileged container creation or host path mounting.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.08Factor sum 3.7/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.40
Self-Modification
0.00
Dynamic Tool Use
0.90
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.20
Multi-Agent Interactions
0.20
Non-Determinism
0.50
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing describes an MCP server rather than a specific foundation model. However, any model driving this agent is highly vulnerable to indirect prompt injection, which could be leveraged to execute unauthorized Docker commands.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No specific RAG or vector database operations are mentioned, though the agent can read and write arbitrary data on the host system if volumes are mounted.

L3 · Agent Frameworks✓ mapped

Extremely high risk of tool misuse. The agent exposes powerful capabilities (container lifecycle, volume mounts) as tools. If the orchestrating framework fails to validate LLM tool calls, an attacker can manipulate the agent into running malicious containers.

L4 · Deployment & Infrastructure✓ mapped

Critical infrastructure risk. Because the agent drives the local Docker daemon, it operates with high privileges. An attacker can easily achieve host compromise, container escape, and privilege escalation by mounting the host root directory or running privileged containers.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, logging, or anomaly detection to monitor and block suspicious Docker API calls generated by the agent.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent lacks built-in authorization controls or policy enforcement. It implicitly trusts all instructions passed through the MCP interface, inheriting the full permissions of the underlying Docker daemon without user-consent prompts or fine-grained access control.

L7 · Agent Ecosystem✓ mapped

High risk in multi-agent workflows. If this agent is chained with other, less-trusted agents, a compromised agent in the ecosystem could exploit the Docker agent to execute arbitrary code on the host system.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).