entanglr/zettelkasten-mcp — agentic threat model
This agent acts as a local Zettelkasten knowledge-management tool via MCP, presenting a low-to-moderate risk profile primarily centered around local file system manipulation and potential indirect prompt injection through retrieved note content.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.40 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.80 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent relies on external LLMs via MCP-compatible clients. The primary L1 threat is indirect prompt injection, where malicious instructions embedded in retrieved notes could hijack the host model's behavior.
The agent maintains a linked note graph locally. The primary threat is data poisoning of the local markdown/text files, which acts as the agent's primary retrieval and injection surface.
Orchestrated via the Model Context Protocol (MCP). Vulnerabilities include insecure tool integration if the client allows arbitrary file path traversal or execution during note creation, linking, and searching.
The agent runs locally. The primary infrastructure threat is unauthorized local file access or directory traversal if the MCP server does not properly restrict note storage to a sandboxed directory.
Not certain from the listing — There is no mention of built-in logging, evaluation, or input/output guardrails to detect malicious payloads or anomalous note-linking behavior.
Not certain from the listing — Access controls and authorization policies are delegated entirely to the host operating system and the parent MCP client running the server.
Designed to interface with other agents via MCP clients. A compromised orchestrator or peer agent could abuse the Zettelkasten tools to exfiltrate sensitive local notes or write malicious payloads into the knowledge base.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).