AgentReadyHomeAgent Listing

← Semgrep MCP

Semgrep MCP — agentic threat model

7.2AIVSS 7.2 · High

The Semgrep MCP agent presents a moderate-to-high risk profile primarily due to its ingestion of untrusted code snippets and repositories, which can lead to indirect prompt injection via scan findings, though its lack of write-access tools limits direct destructive capabilities.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.3AARS uplift 0.89Factor sum 2.3/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.50
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.10
Multi-Agent Interactions
0.20
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation model is not specified, but it is highly vulnerable to indirect prompt injection if malicious code snippets containing adversarial instructions are scanned and returned in the findings.

L2 · Data Operations✓ mapped

The agent ingests code repositories and custom/registry rulesets. There is a risk of data exfiltration if the agent is manipulated into sending scanned code contents to unauthorized external endpoints, or if malicious rulesets are loaded.

L3 · Agent Frameworks✓ mapped

The agent framework exposes Semgrep SAST tools via MCP. The primary threat is tool misuse or exploitation of the Semgrep CLI/library itself via crafted inputs (e.g., command injection through rule parameters or path traversal).

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment is unspecified, but running static analysis on arbitrary code requires strict containerization and sandboxing to prevent local file system access or host compromise by malicious code or rules.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, logging, or evaluation mechanisms to detect when the agent's output has been hijacked by prompt injections embedded in scanned code.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Access controls, authentication, and authorization policies for determining who can run scans or load custom rulesets are not defined in the public directory listing.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent is designed to be called by other orchestrator agents. A compromised orchestrator could abuse this agent to scan proprietary codebases, or this agent could return injected payloads that compromise the calling agent.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).