mcp_subfinder_server — agentic threat model
The mcp_subfinder_server is a low-autonomy utility tool exposing passive subdomain discovery. Its primary risks lie in input validation (command injection) and downstream agents blindly trusting unverified OSINT data.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.00 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.10 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.10 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — This is an MCP tool/server rather than a foundation model, so direct LLM threats like model stealing or alignment issues do not apply directly to this component.
The tool aggregates passive OSINT data from external sources. Threats include data poisoning where malicious actors manipulate public OSINT sources to feed malicious payloads or deceptive subdomain records back to the calling agent.
Exposes a JSON-RPC MCP interface. The primary threat is insecure tool integration, specifically command injection if the domain input is not strictly sanitized before being passed to the underlying subfinder CLI binary.
Not certain from the listing — The hosting and execution environment (e.g., local node process, Docker container) is not specified, leaving potential risks of host compromise or privilege escalation if run with elevated permissions.
Not certain from the listing — There is no mention of built-in logging, monitoring, or anomaly detection to track abuse or unauthorized scanning attempts through the MCP server.
The listing mentions a 'scope-control surface' which implies some policy enforcement capability, but lacks details on authentication, authorization, or audit logging for the JSON-RPC interface.
As a reconnaissance primitive, other agents in the ecosystem will consume its output. A compromised or manipulated subfinder server could feed false targets to downstream vulnerability scanners, leading to unauthorized scanning or cascading failures.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).