AgentReadyHomeAgent Listing

← linux-remote-mcp

linux-remote-mcp — agentic threat model

9.9AIVSS 9.9 · Critical

The linux-remote-mcp agent presents an exceptionally high-risk profile due to its capability to execute arbitrary shell commands, manage Docker, and transfer files over SSH, making any prompt injection vulnerability equivalent to remote code execution.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.13Factor sum 5.9/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.60
Self-Modification
0.20
Dynamic Tool Use
1.00
Persistent Memory
0.30
Contextual Awareness
0.50
Dynamic Identity
0.80
Multi-Agent Interactions
0.40
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the underlying foundation model is not specified, but any LLM driving this agent is highly vulnerable to prompt injection, which could translate directly into arbitrary remote shell command execution.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — no explicit RAG or vector database is mentioned, but file transfers and command outputs represent sensitive data flows that could be exfiltrated or poisoned.

L3 · Agent Frameworks✓ mapped

The agent exposes 35 highly sensitive tools (SSH, Docker, CTF ops). Insecure tool integration or prompt injection at this layer directly leads to unauthorized system administration and host compromise.

L4 · Deployment & Infrastructure✓ mapped

The infrastructure risk is extreme as the agent manages SSH sessions and Docker containers. Compromise allows lateral movement, container escapes, and full host takeover.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there are no mentioned guardrails, logging, or anomaly detection mechanisms to monitor or block malicious shell commands.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — SSH credential management and authorization policies are not detailed, posing severe compliance and access control risks.

L7 · Agent Ecosystem✓ mapped

As an MCP (Model Context Protocol) toolset, it is designed to be called by other agents, creating a high risk of cascading compromises if an upstream agent is hijacked.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).