selfhosted-doctor — agentic threat model
selfhosted-doctor presents a high confidentiality risk due to its design requirement of reading plaintext .env secrets and network configurations, though its read-only nature limits direct integrity or availability impacts.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the underlying LLM is not specified, but adversarial prompt injection could cause the model to ignore critical security risks or leak parsed .env secrets in its output.
The agent directly ingests highly sensitive local data, including .env files with plaintext secrets and Cloudflare Tunnel configurations, creating a high risk of data exfiltration if the context is leaked.
As an MCP server, insecure tool integration or prompt injection could exploit the file-reading tools to access unauthorized local files beyond the intended workspace.
Runs locally (often in Docker/homelab). If the host environment is not properly sandboxed, a compromised MCP server could serve as a vector for local reconnaissance, though its operations are described as read-only.
Not certain from the listing — there is no mention of built-in logging, guardrails, or evaluation frameworks to detect if secrets are being exfiltrated or if the scan results are being manipulated.
Lacks built-in authentication or authorization controls; it relies entirely on the host MCP client's permissions. Handling plaintext secrets in memory violates standard credential-handling compliance policies.
Not certain from the listing — if integrated into a multi-agent system, other untrusted agents could query this agent to indirectly extract sensitive homelab configuration details and secrets.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).