Statsig MCP Server — agentic threat model
The Statsig MCP Server introduces high agentic risk by granting LLMs write access to production feature flags and experiments, creating a direct vector for prompt injection to alter application behavior at scale.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is not specified as this is an MCP server designed to connect to arbitrary LLM clients; however, it is highly vulnerable to indirect prompt injection via the client model.
Not certain from the listing — While the server queries metrics and analytics, the exact data pipeline, vector stores, or training data protections are not detailed in the directory listing.
The MCP server exposes highly sensitive tools for reading and modifying feature gates, experiments, and metrics. Insecure tool integration or a poisoned prompt could lead to unauthorized feature enablement or metric manipulation.
Not certain from the listing — The deployment is described as a remote MCP server, but details regarding containerization, network isolation, or secret management for the Statsig API keys are omitted.
Not certain from the listing — No specific evaluation frameworks, guardrails, or logging mechanisms are detailed to detect or prevent malicious tool calls before they execute on Statsig.
The listing explicitly notes that scoping and approval are important for write access to gates and experiments, indicating a critical need for robust authorization policies, though the implementation details are left to the user.
As an MCP server, this tool operates within a multi-agent or client-agent ecosystem. A compromised orchestrator agent could abuse trust to silently disable features or alter experiment parameters across the organization.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).