AgentReadyHomeAgent Listing

← Local Memory MCP

Local Memory MCP — agentic threat model

5.6AIVSS 5.6 · Medium

Local Memory MCP presents a low-to-moderate risk profile; while it operates entirely locally with no cloud dependencies, its core function of persistent semantic memory introduces a risk of cross-session memory poisoning if malicious inputs are stored.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.3AARS uplift 1.65Factor sum 3.9/10Threat ×0.9Mitigation ×0.8
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.60
Dynamic Tool Use
0.20
Persistent Memory
1.00
Contextual Awareness
0.70
Dynamic Identity
0.10
Multi-Agent Interactions
0.30
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent relies on local embeddings and an external LLM via the Model Context Protocol (MCP). The primary threat is adversarial prompt injection leading to unintended memory writes, though model stealing or direct model poisoning is out of scope for this local tool.

L2 · Data Operations✓ mapped

This layer is highly critical as the agent manages local embeddings and an SQLite-backed vector store. The primary threat is knowledge-base/memory poisoning, where malicious or untrusted data is embedded and persistently stored, leading to retrieval of poisoned context in future sessions.

L3 · Agent Frameworks✓ mapped

The agent framework orchestrates persistent cross-session memory. The main threat is memory poisoning and insecure tool integration, where the host agent blindly trusts retrieved semantic notes, potentially executing indirect injections or malicious payloads stored in the SQLite database.

L4 · Deployment & Infrastructure✓ mapped

The deployment is local-only with no cloud dependency, which significantly reduces the network attack surface. However, the SQLite database and local files must be secured with appropriate OS-level file permissions to prevent unauthorized local access or tampering.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, input filtering, or guardrails to detect or prevent the storage of malicious semantic injections, creating a potential blind spot for memory integrity monitoring.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The tool lacks explicit authentication or authorization mechanisms, relying entirely on the host environment's security controls to restrict who can read or write to the local SQLite memory store.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent is designed to be called by other agents. The primary ecosystem threat is trust abuse, where a compromised or rogue agent writes malicious notes into the local memory, poisoning the shared context for all other agents utilizing this MCP server.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).