← sample-mcp-security-scanner (AWS)
sample-mcp-security-scanner (AWS) — agentic threat model
The sample-mcp-security-scanner acts as a local tool aggregator for AI assistants, presenting moderate risk primarily centered on input validation; malicious or injected code snippets could exploit vulnerabilities in the underlying static analysis tools or the MCP wrapper itself.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.10 | |
| Opacity & Reflexivity | 0.10 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not host a foundation model, but it interfaces with models like Amazon Q. The primary threat is indirect prompt injection where malicious code comments trick the calling LLM into ignoring scanner warnings.
Not certain from the listing — No training data or vector stores are mentioned. The primary data risk is the temporary handling and potential exposure of sensitive proprietary code snippets and IaC configurations sent to the scanners.
The MCP framework orchestrates local execution of Checkov, Semgrep, and Bandit. A key threat is insecure tool integration, where un-sanitized input from the calling agent could lead to command injection or argument injection during CLI invocation.
Not certain from the listing — The deployment environment (e.g., local developer machine, container, or EC2) is unspecified. Running these scanners without strict sandboxing poses a risk of local privilege escalation or host compromise if a scanner binary is exploited.
Not certain from the listing — There is no mention of built-in guardrails, logging, or observability for the MCP server, which could lead to blind spots during an active exploitation attempt.
Not certain from the listing — No authentication, authorization, or access control policies are defined for the MCP server, meaning it likely trusts any local client connection by default.
Designed specifically to integrate with Kiro and Amazon Q Developer. This creates an ecosystem risk where a compromised or manipulated coding assistant can be used as a vector to pass malicious payloads directly to the scanner tools.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).