AgentReadyHomeAgent Listing

← Microsoft Learn MCP Server

Microsoft Learn MCP Server — agentic threat model

4.0AIVSS 4.0 · Medium

The Microsoft Learn MCP Server is a read-only, public documentation retrieval tool with low agentic risk, primarily acting as an untrusted input vector for downstream agents rather than executing actions itself.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 4.3AARS uplift 0.76Factor sum 1.4/10Threat ×0.95Mitigation ×0.8
Autonomy of Action
0.10
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.00
Contextual Awareness
0.30
Dynamic Identity
0.00
Multi-Agent Interactions
0.40
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the MCP server itself does not host the foundation model, but downstream LLMs consuming its output are vulnerable to prompt injection or indirect instruction injection embedded within the retrieved documentation.

L2 · Data Operations✓ mapped

The server retrieves grounded documentation and official code samples from Microsoft Learn. The primary threat is data poisoning if the upstream Microsoft Learn source is compromised, or if the public remote endpoint is spoofed/intercepted.

L3 · Agent Frameworks✓ mapped

The tool is read-only and exposes specific documentation retrieval schemas. The risk of tool misuse is low, but downstream agent frameworks may unsafely execute the returned code samples (insecure tool integration).

L4 · Deployment & Infrastructure✓ mapped

Hosted as a public remote endpoint. Threats include denial of service (DoS) on the endpoint, lack of transport layer security, or infrastructure compromise of the hosting server.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in logging, telemetry, or input/output validation guardrails to detect if malicious payloads are being served through the MCP protocol.

L6 · Security & Compliance (cross-cutting)✓ mapped

The server is public and read-only, implying a lack of authentication or authorization controls (AuthN/AuthZ) for consumers, which simplifies access but limits access control policies.

L7 · Agent Ecosystem✓ mapped

Designed to integrate into broader agent ecosystems (MCP). It acts as a dependency; a compromise or manipulation of this server's outputs can cause cascading failures or security breaches in consuming client agents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).