AgentReadyHomeAgent Listing

← shadcn/ui MCP server

shadcn/ui MCP server — agentic threat model

7.7AIVSS 7.7 · High

The shadcn/ui MCP server presents a high-impact security surface due to its ability to execute install commands and fetch external registry components directly into a local development environment, making it a prime target for supply chain attacks.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.1AARS uplift 0.46Factor sum 2.4/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.40
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.60
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.10
Multi-Agent Interactions
0.30
Non-Determinism
0.20
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not host or define the foundation model, relying instead on Cursor's underlying LLMs (e.g., Claude, GPT) to interpret user intent and invoke the MCP tools.

L2 · Data Operations✓ mapped

Fetches component, block, and icon data from external shadcn registries. The primary risk is registry poisoning or man-in-the-middle attacks, where malicious code or altered component definitions are served to the agent.

L3 · Agent Frameworks✓ mapped

Integrates as an MCP server providing tools for search, preview, and installation. Vulnerabilities here include insecure tool integration, where the agent could be tricked into executing arbitrary local commands via manipulated registry payloads.

L4 · Deployment & Infrastructure✓ mapped

Runs locally within the developer's IDE (Cursor) environment. Because it executes install commands directly in the local project, a compromise here translates directly to local code execution and potential host compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, audit trails, or guardrails to monitor the commands generated or executed by this MCP server.

L6 · Security & Compliance (cross-cutting)✓ mapped

Lacks explicit authorization or sandboxing controls within the plugin itself; it inherits the permissions of the host IDE and the local user, meaning any execution runs with developer-level privileges.

L7 · Agent Ecosystem✓ mapped

Operates in a multi-agent context by plugging into Cursor. A compromised external registry could exploit the trust relationship between Cursor and the MCP server, leading to automated installation of malicious dependencies.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).