AgentReadyHomeAgent Listing

← mcp-zap-server (dtkmn)

mcp-zap-server (dtkmn) — agentic threat model

6.9AIVSS 6.9 · Medium

The mcp-zap-server acts as a powerful DAST control surface, presenting a high-impact risk profile if compromised due to its ability to launch active web security scans, though this is mitigated by built-in production guardrails and guided scoping.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.65Factor sum 4.1/10Threat ×1.05Mitigation ×0.75
Autonomy of Action
0.60
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.40
Dynamic Identity
0.30
Multi-Agent Interactions
0.30
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying LLM is not specified as this is an MCP server. Standard foundation model risks like prompt injection could be used to bypass the server's scoping rules or force it to target unauthorized hosts.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — Data operations are limited to scan findings and reports. Risks include the potential exfiltration or poisoning of vulnerability reports and scan configurations stored or processed by the server.

L3 · Agent Frameworks✓ mapped

The agent framework layer is highly critical here as it exposes OWASP ZAP orchestration tools. Insecure tool integration or prompt injection could allow an attacker to hijack the tool-calling mechanism to run arbitrary DAST scans against unauthorized targets.

L4 · Deployment & Infrastructure✓ mapped

As a self-hosted operator running over streamable HTTP, secure deployment is vital. Compromise of the hosting environment could allow lateral movement, unauthorized network scanning of internal assets, or exposure of the ZAP API keys and target credentials.

L5 · Evaluation & Observability✓ mapped

The agent emphasizes guided scans, findings, and reports. Observability must ensure that all scan targets, parameters, and execution states are strictly logged to detect unauthorized scanning attempts or guardrail bypasses.

L6 · Security & Compliance (cross-cutting)✓ mapped

Security and compliance are central to this agent, which explicitly features production guardrails and scoping controls to prevent unconstrained attacks. Strict authorization policies are required to define who can initiate scans and on what targets.

L7 · Agent Ecosystem✓ mapped

In a multi-agent ecosystem, other agents might call this MCP server to perform security checks. Trust boundaries must be enforced so that compromised upstream agents cannot abuse the ZAP operator to perform malicious reconnaissance.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).