AgentReadyHomeAgent Listing

← pd-tools-mcp (ProjectDiscovery tools)

pd-tools-mcp (ProjectDiscovery tools) — agentic threat model

9.4AIVSS 9.4 · Critical

This agent possesses high agentic risk due to its ability to orchestrate active network reconnaissance and vulnerability scanning tools (Nuclei, Naabu, Subfinder) autonomously, which can easily be abused for unauthorized scanning, exploitation, or policy violations if scope boundaries are not strictly enforced.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.89Factor sum 5.4/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.90
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.70
Dynamic Identity
0.30
Multi-Agent Interactions
0.40
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation model is not specified, but it is highly vulnerable to prompt injection or jailbreaks that could force the agent to target unauthorized IP ranges or domains.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The agent primarily processes dynamic network reconnaissance data rather than relying on a persistent vector database or RAG pipeline, though target lists and scan results represent sensitive operational data.

L3 · Agent Frameworks✓ mapped

The MCP framework integrates highly sensitive command-line tools (subfinder, dnsx, naabu, httpx, nuclei). The primary threat is insecure tool integration and tool misuse, where an LLM dynamically constructs arguments or targets, leading to remote code execution or unauthorized scanning.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment requires robust sandboxing and network egress controls to prevent the agent from scanning internal RFC1918 space or being used as a proxy for SSRF/lateral movement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There are no mentioned guardrails, logging, or evaluation mechanisms to monitor, rate-limit, or audit the active scans initiated by the LLM.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The toolchain lacks built-in identity, authorization, or scope-limiting policies (e.g., blacklisting government or internal IPs), raising severe compliance and legal liability concerns.

L7 · Agent Ecosystem✓ mapped

As an MCP server, this agent is designed to be called by other agents or host clients. A compromised orchestrator agent could abuse this toolchain to conduct automated, distributed attacks without human oversight.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).