shadcn/ui MCP server — agentic threat model
The shadcn/ui MCP server presents a high-impact security surface due to its ability to execute install commands and fetch external registry components directly into a local development environment, making it a prime target for supply chain attacks.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not host or define the foundation model, relying instead on Cursor's underlying LLMs (e.g., Claude, GPT) to interpret user intent and invoke the MCP tools.
Fetches component, block, and icon data from external shadcn registries. The primary risk is registry poisoning or man-in-the-middle attacks, where malicious code or altered component definitions are served to the agent.
Integrates as an MCP server providing tools for search, preview, and installation. Vulnerabilities here include insecure tool integration, where the agent could be tricked into executing arbitrary local commands via manipulated registry payloads.
Runs locally within the developer's IDE (Cursor) environment. Because it executes install commands directly in the local project, a compromise here translates directly to local code execution and potential host compromise.
Not certain from the listing — There is no mention of built-in logging, audit trails, or guardrails to monitor the commands generated or executed by this MCP server.
Lacks explicit authorization or sandboxing controls within the plugin itself; it inherits the permissions of the host IDE and the local user, meaning any execution runs with developer-level privileges.
Operates in a multi-agent context by plugging into Cursor. A compromised external registry could exploit the trust relationship between Cursor and the MCP server, leading to automated installation of malicious dependencies.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).