Storacha MCP Storage Server — agentic threat model
The Storacha MCP Storage Server introduces significant data exfiltration and compliance risks by allowing agents to write data to a public, immutable decentralized network (IPFS/Filecoin), meaning any accidental or malicious upload of sensitive information is permanent.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.10 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The Storacha MCP server is a tool integration rather than a foundation model, so model-level threats like adversarial reprogramming depend entirely on the host LLM calling this server.
Deals directly with content-addressed files (CIDs) on IPFS/Filecoin. Key threats include data exfiltration via unauthorized uploads of sensitive agent data to public networks, and data poisoning if the agent retrieves and executes malicious files via untrusted CIDs.
Exposes file upload, retrieval, and listing tools to the calling agent. Threat includes tool misuse where a compromised or confused agent uploads internal configuration files, system prompts, or user secrets to the public decentralized web.
The server holds Storacha space and agent credentials locally or in its environment. Compromise of the host environment exposes these credentials, allowing unauthorized third parties to write to or manage the associated decentralized storage space.
Not certain from the listing — There is no mention of built-in logging, auditing, or guardrails to inspect what data the agent is sending to the decentralized network before it is permanently published.
Presents severe compliance challenges (e.g., GDPR/CCPA). Because IPFS/Filecoin is immutable, any personal data uploaded by the agent cannot be deleted, violating the 'right to be forgotten' and data privacy regulations.
As an MCP tool, it can be chained into multi-agent workflows. A compromised agent in the ecosystem could abuse this tool to exfiltrate proprietary data from other agents and publish it publicly.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).