AgentReadyHomeAgent Listing

← EdgeOne Pages MCP

EdgeOne Pages MCP — agentic threat model

9.1AIVSS 9.1 · Critical

The EdgeOne Pages MCP agent presents a high-risk profile due to its ability to instantly publish arbitrary agent-generated content directly to the public internet, creating a direct vector for hosting phishing pages, malware, or unauthorized content under a user's account.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.3AARS uplift 0.8Factor sum 4.5/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.30
Self-Modification
0.10
Dynamic Tool Use
0.70
Persistent Memory
0.20
Contextual Awareness
0.40
Dynamic Identity
0.60
Multi-Agent Interactions
0.50
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent relies on external LLMs to generate the HTML/content. If the underlying model is reprogrammed or suffers from adversarial prompt injection, it can be coerced into generating malicious scripts, phishing templates, or defaced content to be deployed.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The agent does not explicitly mention a vector database or RAG pipeline, but any data operations feeding into the HTML generation could be poisoned to inject malicious payloads into the deployed web pages.

L3 · Agent Frameworks✓ mapped

The agent framework exposes highly sensitive tools ('deploy-html' and folder deployment) that can be easily misused by an orchestrator or via prompt injection to publish unauthorized files, sensitive local project directories, or credentials to the public web.

L4 · Deployment & Infrastructure✓ mapped

The agent interacts directly with Tencent EdgeOne's global CDN. The primary infrastructure threat is the exposure of local files during folder deployment and the consumption of the user's deployment credits/bandwidth, potentially leading to financial denial of service.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, content moderation, or logging to inspect the HTML content for malicious patterns (like credential harvesting forms) before deploying it to the live URL.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent operates using the user's EdgeOne account credentials to provision public URLs. There is a lack of fine-grained authorization controls to restrict what domains or subdomains the agent is allowed to publish to, risking brand reputation damage.

L7 · Agent Ecosystem✓ mapped

In a multi-agent ecosystem, another compromised or rogue agent could generate malicious payloads and pass them to this MCP agent to automatically distribute malware or phishing campaigns globally without human intervention.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).