Prowler MCP (Lighthouse) — agentic threat model
The Prowler MCP server introduces significant agentic risk by granting AI assistants direct tool-based access to read sensitive cloud configurations across AWS, Azure, and GCP, potentially exposing entire cloud postures if compromised.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Lighthouse relies on external LLMs via the Model Context Protocol (MCP). The primary threat is prompt injection or adversarial reprogramming that could force the model to execute unauthorized cloud checks or misinterpret compliance findings.
The agent processes highly sensitive cloud configuration metadata and compliance reports. Risks include data exfiltration of cloud architecture details, lack of data lineage, and potential poisoning of the compliance knowledge base used for mapping.
The MCP server exposes hundreds of cloud security check tools to the agent. Insecure tool integration or tool misuse could allow an attacker to trigger resource-intensive scans, probe unauthorized cloud APIs, or bypass intended query boundaries.
The agent runs under active cloud credentials (AWS/Azure/GCP). If the hosting environment or the MCP server itself is compromised, it could lead to credential theft, privilege escalation, or lateral movement within the target cloud environments.
Not certain from the listing — There is no explicit mention of guardrails, evaluation frameworks, or specialized logging for the Lighthouse assistant's actions, creating potential blind spots in detecting malicious or anomalous cloud queries.
The agent's core purpose is compliance mapping, but it relies heavily on the IAM permissions of the cloud credentials provided to it. Strict adherence to the principle of least privilege (read-only IAM roles) is critical to prevent write-level abuse.
As an MCP server, this agent is designed to plug into broader agentic ecosystems (like Lighthouse or other MCP clients). This introduces risks of cascading failures or unauthorized cross-agent trust exploitation if a calling agent is compromised.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).