mcp-shodan (ADEOSec) — agentic threat model
The mcp-shodan agent presents a moderate-to-high risk profile due to its handling of sensitive threat intelligence API keys and its ability to perform active network reconnaissance and alert management, which could be abused via prompt injection from untrusted external data.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is not specified, but the 11 consolidated analysis prompts are vulnerable to indirect prompt injection if external data returned from Shodan or VirusTotal contains adversarial payloads.
Not certain from the listing — It is unclear if the server caches or stores query results locally, but processing external threat intelligence data introduces a risk of data poisoning or injection into the analyst's context.
The agent framework exposes 11 consolidated prompts for host lookup, DNS operations, and alert management. Insecure tool integration or lack of input validation on these prompts could allow an attacker to trigger unauthorized network scans or manipulate alerts.
Not certain from the listing — The deployment environment is not detailed, but the server must securely store and access two sensitive API keys (Shodan and VirusTotal), presenting a high-value target for credential theft.
Not certain from the listing — There is no mention of built-in logging, auditing, or guardrails to monitor and restrict the types of queries or hosts being scanned through the MCP server.
Not certain from the listing — The tool lacks defined access control policies or authentication mechanisms to verify which users or upstream agents are authorized to execute reconnaissance commands.
As an MCP server, this agent is built to integrate directly into larger agentic ecosystems, meaning a compromise or manipulation of this tool can propagate to other connected orchestrators and decision-making agents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).