Docker — agentic threat model
The Docker MCP server presents an extremely high-risk profile because it grants an LLM direct, unmitigated control over the local Docker daemon. A compromise or prompt injection can easily lead to full host takeover via privileged container creation or host path mounting.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing describes an MCP server rather than a specific foundation model. However, any model driving this agent is highly vulnerable to indirect prompt injection, which could be leveraged to execute unauthorized Docker commands.
Not certain from the listing — No specific RAG or vector database operations are mentioned, though the agent can read and write arbitrary data on the host system if volumes are mounted.
Extremely high risk of tool misuse. The agent exposes powerful capabilities (container lifecycle, volume mounts) as tools. If the orchestrating framework fails to validate LLM tool calls, an attacker can manipulate the agent into running malicious containers.
Critical infrastructure risk. Because the agent drives the local Docker daemon, it operates with high privileges. An attacker can easily achieve host compromise, container escape, and privilege escalation by mounting the host root directory or running privileged containers.
Not certain from the listing — There is no mention of built-in guardrails, logging, or anomaly detection to monitor and block suspicious Docker API calls generated by the agent.
The agent lacks built-in authorization controls or policy enforcement. It implicitly trusts all instructions passed through the MCP interface, inheriting the full permissions of the underlying Docker daemon without user-consent prompts or fine-grained access control.
High risk in multi-agent workflows. If this agent is chained with other, less-trusted agents, a compromised agent in the ecosystem could exploit the Docker agent to execute arbitrary code on the host system.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).