Terraform MCP Server — agentic threat model
The Terraform MCP Server presents a high-risk profile because it bridges LLM agents directly to cloud infrastructure management (HCP Terraform). Unauthorized or unintended tool execution can lead to catastrophic real-world infrastructure destruction or compromise.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not bundle a foundation model, but the upstream LLMs calling it are vulnerable to prompt injection, which could be leveraged to maliciously trigger Terraform runs or modify workspaces.
Not certain from the listing — The server handles registry searches and workspace states. Risks include the exfiltration of sensitive workspace variables, state files containing secrets, or the ingestion of poisoned registry modules.
Exposes highly sensitive tools (workspace operations and run triggering) to agent frameworks. Insecure tool integration or lack of strict input validation on generated IaC parameters could lead to unauthorized infrastructure modifications.
Not certain from the listing — The MCP server requires access to HCP Terraform API tokens. Compromise of the hosting environment, container, or local machine running the server would directly expose these high-privilege credentials.
Not certain from the listing — Comprehensive logging and real-time monitoring of LLM-to-tool invocations are critical to detect anomalous infrastructure changes before they are applied via HCP Terraform runs.
Access control relies heavily on the scope of the provided HCP Terraform token. Without strict plan-review gating and least-privilege token configuration, the agent violates basic security and compliance boundaries.
Designed to expose infrastructure capabilities to other agents in an MCP ecosystem. A compromised or rogue upstream agent could abuse this trust relationship to trigger malicious deployments or destroy active cloud environments.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).