AgentReadyHomeAgent Listing

← Hugging Face MCP

Hugging Face MCP — agentic threat model

7.3AIVSS 7.3 · High

The Hugging Face MCP agent acts as a data-retrieval bridge to the Hugging Face Hub, presenting moderate risk primarily through the ingestion of untrusted model cards (prompt injection vector) and the handling of sensitive API tokens that grant access to private repositories.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.77Factor sum 2.2/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.00
Contextual Awareness
0.20
Dynamic Identity
0.40
Multi-Agent Interactions
0.50
Non-Determinism
0.20
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation models orchestrating this MCP client are not defined, but the retrieved model cards and documentation could contain adversarial text designed to exploit the calling model's alignment.

L2 · Data Operations✓ mapped

Retrieved model cards and dataset READMEs are explicitly noted as untrusted text, posing a high risk of indirect prompt injection or data poisoning when ingested by downstream agent workflows.

L3 · Agent Frameworks✓ mapped

The agent framework exposes tools for searching and exploring the Hub. Insecure integration could allow malicious model metadata to hijack the orchestrating agent's execution flow.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment, sandboxing of the MCP server, and local secret storage mechanisms for the Hugging Face token are not specified.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of logging, input sanitization, or guardrails to filter out malicious payloads within retrieved Hugging Face metadata.

L6 · Security & Compliance (cross-cutting)✓ mapped

Authentication relies on a Hugging Face token. A significant risk exists as any provided token broadly grants access to the user's private repositories without fine-grained scoping.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent is designed for multi-agent ecosystems. A compromise or injection via this tool can propagate vertically to the orchestrating agent and horizontally to other connected services.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).