AgentReadyHomeAgent Listing

← Godot MCP

Godot MCP — agentic threat model

9.9AIVSS 9.9 · Critical

Godot MCP presents a critical security risk as it grants agents local execution privileges to launch binaries and run arbitrary project code without sandboxing, potentially leading to full host compromise via untrusted debug outputs or malicious project files.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.11Factor sum 4.8/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.40
Dynamic Identity
0.10
Multi-Agent Interactions
0.60
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the directory listing does not specify which foundation models are used to drive this MCP server, leaving model-specific threats like adversarial reprogramming or prompt injection unverified.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — there is no mention of vector databases, RAG, or training data pipelines, though the tool does interact directly with local project files and directories.

L3 · Agent Frameworks✓ mapped

High risk of tool misuse. The framework exposes highly sensitive capabilities (launching binaries, running local project code) to the driving agent. If the agent is manipulated, it can be coerced into executing malicious local commands.

L4 · Deployment & Infrastructure✓ mapped

Critical vulnerability. The tool inherits local execution privileges and shells out directly to the Godot binary without any mentioned sandboxing, containerization, or privilege isolation, exposing the host to complete compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — while the tool captures runtime debug output and returns logs to the agent, there is no mention of security-focused guardrails, anomaly detection, or logging of malicious execution attempts.

L6 · Security & Compliance (cross-cutting)✓ mapped

No security controls are evident. There is an absence of authentication, authorization, or policy enforcement mechanisms to restrict which projects can be run or which binary paths can be executed.

L7 · Agent Ecosystem✓ mapped

High risk of agent-to-agent trust abuse. As an MCP tool designed to be driven by external agents, a compromised or rogue agent in the ecosystem could leverage this tool to execute arbitrary code on the host system running the MCP server.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).