← Home Assistant MCP (hass-mcp)
Home Assistant MCP (hass-mcp) — agentic threat model
The Home Assistant MCP presents a high-risk agentic profile due to its ability to actuate physical IoT devices (locks, alarms, cameras), where prompt injection or tool misuse can translate directly into real-world physical safety and security breaches.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is determined by the client connecting to this MCP. The primary threat is model reprogramming or prompt injection that tricks the model into executing unauthorized physical actions.
Not certain from the listing — While the agent queries device states and home configurations, there is no mention of a dedicated vector store or RAG pipeline. State data could potentially be exfiltrated or manipulated to feed false context to the model.
The agent framework layer is highly critical here as it exposes Home Assistant services as tools. Insecure tool integration or lack of input validation could allow an LLM to execute high-consequence tools (e.g., unlocking doors or disabling alarms) without proper verification.
Not certain from the listing — The deployment architecture is not specified, but typically involves running as an MCP server locally or in a container. Risks include insecure storage of the Home Assistant long-lived access token and lack of network isolation.
Not certain from the listing — There are no mentioned guardrails, evaluation frameworks, or real-time monitoring tools to detect anomalous or malicious tool-calling behavior before physical actuation occurs.
Not certain from the listing — Access control relies entirely on the Home Assistant token permissions. There is no evidence of granular, MCP-level authorization policies to restrict access to sensitive physical devices based on the user's session context.
Not certain from the listing — If this MCP is exposed to a multi-agent ecosystem, a secondary untrusted agent could exploit the trust relationship to manipulate the Home Assistant agent into performing physical actions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).