AgentReadyHomeAgent Listing

← mcp-redis-allowlist

mcp-redis-allowlist — agentic threat model

6.1AIVSS 6.1 · Medium

mcp-redis-allowlist is a specialized MCP tool designed to mitigate agentic risks by enforcing a strict, read-only command allowlist on Redis databases, though it remains sensitive to credential exposure and input injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.2Factor sum 1.3/10Threat ×1.0Mitigation ×0.7
Autonomy of Action
0.20
Goal-Driven Planning
0.00
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.10
Dynamic Identity
0.20
Multi-Agent Interactions
0.10
Non-Determinism
0.10
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not host or run a foundation model; it is a tool designed to be invoked by an external LLM, meaning model-level threats like prompt injection must be handled by the orchestrating agent.

L2 · Data Operations✓ mapped

Directly interacts with Redis data stores. Threats include unauthorized data exposure or exfiltration if the allowlist is overly permissive or if sensitive keys are read via allowed diagnostic commands.

L3 · Agent Frameworks✓ mapped

Acts as an integration tool within agent frameworks. A key threat is tool misuse or argument injection, where an LLM crafts malicious payloads to exploit allowed commands or bypass subcommand restrictions.

L4 · Deployment & Infrastructure✓ mapped

Requires a REDIS_URL connection string. Exposure of this environment variable or lack of network isolation could lead to credential theft, unauthorized database access, or lateral movement within the infrastructure.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The description does not specify whether the server logs executed commands, alerts on blocked command attempts, or integrates with external observability platforms.

L6 · Security & Compliance (cross-cutting)✓ mapped

Implements strong security controls via a configurable command allowlist and an opt-in write-allowed flag, establishing a policy-based authorization boundary for database access.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — The tool operates as a single-point database connector and does not define multi-agent collaboration protocols or marketplace trust boundaries.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).