AgentReadyHomeAgent Listing

← mcp_subfinder_server

mcp_subfinder_server — agentic threat model

7.7AIVSS 7.7 · High

The mcp_subfinder_server is a low-autonomy utility tool exposing passive subdomain discovery. Its primary risks lie in input validation (command injection) and downstream agents blindly trusting unverified OSINT data.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.2Factor sum 0.8/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.10
Goal-Driven Planning
0.00
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.00
Contextual Awareness
0.10
Dynamic Identity
0.00
Multi-Agent Interactions
0.10
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — This is an MCP tool/server rather than a foundation model, so direct LLM threats like model stealing or alignment issues do not apply directly to this component.

L2 · Data Operations✓ mapped

The tool aggregates passive OSINT data from external sources. Threats include data poisoning where malicious actors manipulate public OSINT sources to feed malicious payloads or deceptive subdomain records back to the calling agent.

L3 · Agent Frameworks✓ mapped

Exposes a JSON-RPC MCP interface. The primary threat is insecure tool integration, specifically command injection if the domain input is not strictly sanitized before being passed to the underlying subfinder CLI binary.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting and execution environment (e.g., local node process, Docker container) is not specified, leaving potential risks of host compromise or privilege escalation if run with elevated permissions.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, monitoring, or anomaly detection to track abuse or unauthorized scanning attempts through the MCP server.

L6 · Security & Compliance (cross-cutting)✓ mapped

The listing mentions a 'scope-control surface' which implies some policy enforcement capability, but lacks details on authentication, authorization, or audit logging for the JSON-RPC interface.

L7 · Agent Ecosystem✓ mapped

As a reconnaissance primitive, other agents in the ecosystem will consume its output. A compromised or manipulated subfinder server could feed false targets to downstream vulnerability scanners, leading to unauthorized scanning or cascading failures.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).