AgentReadyHomeAgent Listing

← ForeverVM MCP

ForeverVM MCP — agentic threat model

6.4AIVSS 6.4 · Medium

ForeverVM MCP acts as a persistent Python execution sandbox designed to mitigate arbitrary code execution risks for agents. Its primary risk profile centers on sandbox escape, resource exhaustion, and lateral movement if egress controls are bypassed.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.58Factor sum 3.9/10Threat ×1.0Mitigation ×0.7
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.30
Dynamic Tool Use
0.80
Persistent Memory
0.70
Contextual Awareness
0.20
Dynamic Identity
0.10
Multi-Agent Interactions
0.60
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — ForeverVM is an execution sandbox and MCP tool rather than a foundation model itself, so direct model-level threats like adversarial reprogramming or data poisoning depend entirely on the external LLM orchestrating it.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — While the VMs are persistent (implying state and file persistence), the listing does not detail any specific training data, vector databases, or RAG pipelines managed by ForeverVM.

L3 · Agent Frameworks✓ mapped

As an MCP tool, it integrates directly into agent frameworks to execute Python code. The primary threat is insecure tool integration where orchestrating agents blindly execute untrusted or malicious code generated by the model.

L4 · Deployment & Infrastructure✓ mapped

This is the core layer for ForeverVM. Key threats include sandbox egress, container/host compromise, privilege escalation from the VM to the host, and Denial of Service (DoS) via resource exhaustion within the persistent VMs.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The description mentions resource limits as a control, but does not specify the logging, monitoring, or anomaly detection capabilities used to flag malicious code execution attempts.

L6 · Security & Compliance (cross-cutting)✓ mapped

The tool explicitly implements sandbox egress controls and resource limits to mitigate arbitrary-code-execution risks, though specific authentication, authorization, and compliance standards (e.g., SOC2) are not detailed.

L7 · Agent Ecosystem✓ mapped

Designed specifically to run code for other agents. Threats include multi-agent trust abuse, where a compromised agent leverages the persistent VM to store malicious payloads or conduct lateral attacks against other agents sharing the ecosystem.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).