protect-mcp-setup — agentic threat model
This agent skill operates as a high-privilege security control that configures cryptographic governance for Claude Code. While it introduces robust mitigation mechanisms like Cedar policies and signed audit trails, its installation process requires executing bundled scripts with high system access, making it a high-value target for supply chain compromise.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.80 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.70 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the agent skill itself does not specify a foundation model, but it acts as a runtime hook for Claude Code (typically Claude 3.5 Sonnet). Threats include prompt injection bypassing the policy-gating logic if the model is manipulated into misinterpreting policy boundaries.
Not certain from the listing — the agent primarily handles policy files and cryptographic receipts rather than vector databases or RAG pipelines. The primary data risk is the unauthorized modification or exfiltration of the local Cedar policy files and cryptographic keys.
Directly impacts framework security by intercepting and gating Claude Code tool calls (Bash, Edit, Write, WebFetch). Vulnerabilities here include bypasses in the runtime hooks, race conditions during policy evaluation, or flaws in how the framework handles rejected tool executions.
The agent runs bundled scripts to install runtime hooks and set up local policy files on the host system. This presents a significant privilege escalation and host compromise risk if the installation scripts are tampered with or contain vulnerabilities.
Directly addresses this layer by producing an offline-verifiable, hash-chained, and Ed25519-signed audit trail of all tool invocations. This mitigates the threat of log tampering and provides strong non-repudiation for agent actions.
This is the core focus of the agent. It implements zero-trust cryptographic governance using AWS Cedar policies to authorize tool execution, establishing a robust identity and authorization boundary for agentic actions.
Not certain from the listing — while designed for a single-user CLI agent (Claude Code), if integrated into multi-agent workflows, these signed receipts could prevent cascading trust abuse by ensuring downstream agents can verify the provenance of upstream actions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).