AgentReadyHomeAgent Listing

← Heroku

Heroku — agentic threat model

8.9AIVSS 8.9 · High

The Heroku MCP server presents a critical risk profile due to its ability to execute highly destructive infrastructure and database operations. Without strict external guardrails or human-in-the-loop validation, compromise of the orchestrating agent or the API key could lead to complete production environment takeover.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.08Factor sum 3.7/10Threat ×1.1Mitigation ×0.9
Autonomy of Action
0.80
Goal-Driven Planning
0.30
Self-Modification
0.00
Dynamic Tool Use
0.90
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.50
Multi-Agent Interactions
0.20
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not bundle a foundation model; it is designed to be called by external LLMs. Threats depend entirely on the host LLM's susceptibility to prompt injection or jailbreaks.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No native RAG or vector database is mentioned, but it has direct access to Heroku databases, making data exfiltration or unauthorized database operations a major threat if the agent is manipulated.

L3 · Agent Frameworks✓ mapped

The MCP framework exposes highly sensitive tools (dyno scaling, database configuration). Insecure tool integration or lack of input validation on the client agent side could lead to destructive actions like deleting databases or scaling down production dynos.

L4 · Deployment & Infrastructure✓ mapped

The server runs locally or in a hosted environment, requiring a Heroku API key. Exposure of this key or compromise of the hosting environment grants full administrative access to the associated Heroku account.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in guardrails, logging, or anomaly detection are mentioned. Without external monitoring, malicious or accidental destructive actions (e.g., database deletion) may go unnoticed until outage occurs.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies on Heroku API-key authentication. However, it lacks fine-grained access controls (RBAC) within the MCP layer itself, meaning any agent with access to the server inherits the full permissions of the API key.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, it is designed to be integrated into broader agentic workflows. A compromised or rogue orchestrator agent could abuse this tool to perform unauthorized infrastructure changes or exfiltrate database contents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).