AgentReadyHomeAgent Listing

← MarkItDown MCP Server

MarkItDown MCP Server — agentic threat model

6.0AIVSS 6.0 · Medium

The MarkItDown MCP Server presents a moderate security risk primarily due to local filesystem access and the ingestion of untrusted document formats, which could lead to prompt injection or path traversal if not strictly sandboxed.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.55Factor sum 1.5/10Threat ×1.05Mitigation ×0.85
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.00
Contextual Awareness
0.30
Dynamic Identity
0.00
Multi-Agent Interactions
0.10
Non-Determinism
0.20
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent itself does not host or define the foundation model, but it converts arbitrary documents into Markdown specifically for LLM consumption, making the downstream LLM vulnerable to indirect prompt injection embedded within processed documents.

L2 · Data Operations✓ mapped

The agent processes diverse file formats (PDF, Office, images) to extract text. This introduces risks of data parsing vulnerabilities (e.g., malicious PDFs exploiting parser libraries) and potential data exfiltration if the extracted content contains sensitive information that is then sent to external LLM APIs.

L3 · Agent Frameworks✓ mapped

The tool integration relies on MCP (Model Context Protocol). The primary threat is insecure tool integration or path traversal where a compromised or manipulated LLM attempts to read files outside the intended scope, though mitigated by the configured allowed-path scoping.

L4 · Deployment & Infrastructure✓ mapped

The server runs locally or within a host environment with direct filesystem access. If the host environment is not sandboxed, a vulnerability in the document parsing libraries could lead to local code execution or host compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, auditing, or guardrails to monitor which files are accessed or to detect anomalous file access patterns by the calling agent.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent implements a basic security control via 'allowed-path scoping' to restrict filesystem access. However, robust identity, authentication, and granular authorization mechanisms between the MCP client and server are not detailed in the listing.

L7 · Agent Ecosystem✓ mapped

As an MCP server, this agent is designed to be called by other agents or LLM clients. A compromised orchestrator agent could abuse this tool to scan the local filesystem or exfiltrate data within the allowed paths.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).