AgentReadyHomeAgent Listing

← GitHub MCP Server

GitHub MCP Server — agentic threat model

9.0AIVSS 9.0 · Critical

The GitHub MCP Server exposes highly sensitive repository, issue, and CI/CD actions to LLMs, creating a critical vector for indirect prompt injection and unauthorized code modification if paired with broad Personal Access Tokens.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.73Factor sum 5.5/10Threat ×1.1Mitigation ×0.95
Autonomy of Action
0.70
Goal-Driven Planning
0.50
Self-Modification
0.20
Dynamic Tool Use
0.90
Persistent Memory
0.30
Contextual Awareness
0.80
Dynamic Identity
0.60
Multi-Agent Interactions
0.50
Non-Determinism
0.60
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The server relies on external LLMs via the MCP host; these models are vulnerable to indirect prompt injection when processing untrusted issue or PR content retrieved by the server.

L2 · Data Operations✓ mapped

Acts as a data conduit for repositories, issues, PRs, and code search. Untrusted data retrieved from public or shared repositories can poison the context window of the consuming agent.

L3 · Agent Frameworks✓ mapped

Exposes powerful tools for repository manipulation, issue tracking, and workflow execution. Insecure tool integration or lack of strict input validation can lead to arbitrary code execution or unauthorized repository changes.

L4 · Deployment & Infrastructure✓ mapped

Supports both local and remote modes. Local execution exposes the host machine's environment, while remote execution requires secure handling of highly sensitive GitHub Personal Access Tokens (PATs) or Copilot tokens.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The directory listing does not specify built-in logging, audit trails, or guardrails to monitor and intercept malicious tool calls or anomalous repository actions.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies heavily on the underlying GitHub token permissions (OAuth/PAT). If over-permissioned, a compromise allows broad write access across multiple repositories, violating the principle of least privilege.

L7 · Agent Ecosystem✓ mapped

Designed to connect agents to GitHub. In multi-agent workflows, a compromised or untrusted agent could abuse this server to exfiltrate proprietary code or inject malicious commits into upstream repositories.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).