AgentReadyHomeAgent Listing

← Pulumi

Pulumi — agentic threat model

8.9AIVSS 8.9 · High

The Pulumi MCP server presents an exceptionally high-risk profile due to its ability to provision, modify, and destroy cloud infrastructure. A compromise or prompt injection attack could lead to complete infrastructure destruction or unauthorized resource creation, backed by highly privileged access tokens.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.11Factor sum 5.1/10Threat ×1.1Mitigation ×0.9
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.60
Multi-Agent Interactions
0.40
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing describes an MCP server rather than the underlying LLM. However, if paired with an LLM, adversarial prompt injection is a critical threat that could trick the model into executing destructive commands like 'pulumi destroy'.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The server manages stack configurations and state files, but details on how it handles training, RAG, or vector data are not provided. Gaps in state file provenance could lead to state poisoning.

L3 · Agent Frameworks✓ mapped

The orchestration layer (MCP client) interacts with this server to call tools. Insecure tool integration is a major threat; if the agent framework lacks strict input validation, malicious inputs could lead to arbitrary command execution or unauthorized stack modifications.

L4 · Deployment & Infrastructure✓ mapped

The MCP server runs in a hosting environment and holds a highly sensitive Pulumi access token. Compromise of this hosting environment or container would expose the token, leading to full privilege escalation and lateral movement across the connected cloud providers.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, policy-as-code enforcement (like Pulumi CrossGuard), or real-time monitoring of agent actions before they are applied to the cloud infrastructure.

L6 · Security & Compliance (cross-cutting)✓ mapped

The server relies on Pulumi token authentication. However, there is a lack of fine-grained authorization (AuthZ) or policy enforcement mentioned in the listing, meaning any agent with access to the token can perform any action the token permits, resulting in a massive blast radius.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this server is designed to be called by other agents. A compromised or rogue agent in a multi-agent system could abuse this tool to exfiltrate secrets or destroy infrastructure, leading to cascading failures across the ecosystem.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).