mcp-zap-server (dtkmn) — agentic threat model
The mcp-zap-server acts as a powerful DAST control surface, presenting a high-impact risk profile if compromised due to its ability to launch active web security scans, though this is mitigated by built-in production guardrails and guided scoping.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying LLM is not specified as this is an MCP server. Standard foundation model risks like prompt injection could be used to bypass the server's scoping rules or force it to target unauthorized hosts.
Not certain from the listing — Data operations are limited to scan findings and reports. Risks include the potential exfiltration or poisoning of vulnerability reports and scan configurations stored or processed by the server.
The agent framework layer is highly critical here as it exposes OWASP ZAP orchestration tools. Insecure tool integration or prompt injection could allow an attacker to hijack the tool-calling mechanism to run arbitrary DAST scans against unauthorized targets.
As a self-hosted operator running over streamable HTTP, secure deployment is vital. Compromise of the hosting environment could allow lateral movement, unauthorized network scanning of internal assets, or exposure of the ZAP API keys and target credentials.
The agent emphasizes guided scans, findings, and reports. Observability must ensure that all scan targets, parameters, and execution states are strictly logged to detect unauthorized scanning attempts or guardrail bypasses.
Security and compliance are central to this agent, which explicitly features production guardrails and scoping controls to prevent unconstrained attacks. Strict authorization policies are required to define who can initiate scans and on what targets.
In a multi-agent ecosystem, other agents might call this MCP server to perform security checks. Trust boundaries must be enforced so that compromised upstream agents cannot abuse the ZAP operator to perform malicious reconnaissance.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).