AgentReadyHomeAgent Listing

← Terraform MCP Server

Terraform MCP Server — agentic threat model

7.9AIVSS 7.9 · High

The Terraform MCP Server presents a high-risk profile because it bridges LLM agents directly to cloud infrastructure management (HCP Terraform). Unauthorized or unintended tool execution can lead to catastrophic real-world infrastructure destruction or compromise.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.76Factor sum 4.8/10Threat ×1.05Mitigation ×0.85
Autonomy of Action
0.70
Goal-Driven Planning
0.60
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.60
Multi-Agent Interactions
0.40
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not bundle a foundation model, but the upstream LLMs calling it are vulnerable to prompt injection, which could be leveraged to maliciously trigger Terraform runs or modify workspaces.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The server handles registry searches and workspace states. Risks include the exfiltration of sensitive workspace variables, state files containing secrets, or the ingestion of poisoned registry modules.

L3 · Agent Frameworks✓ mapped

Exposes highly sensitive tools (workspace operations and run triggering) to agent frameworks. Insecure tool integration or lack of strict input validation on generated IaC parameters could lead to unauthorized infrastructure modifications.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The MCP server requires access to HCP Terraform API tokens. Compromise of the hosting environment, container, or local machine running the server would directly expose these high-privilege credentials.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — Comprehensive logging and real-time monitoring of LLM-to-tool invocations are critical to detect anomalous infrastructure changes before they are applied via HCP Terraform runs.

L6 · Security & Compliance (cross-cutting)✓ mapped

Access control relies heavily on the scope of the provided HCP Terraform token. Without strict plan-review gating and least-privilege token configuration, the agent violates basic security and compliance boundaries.

L7 · Agent Ecosystem✓ mapped

Designed to expose infrastructure capabilities to other agents in an MCP ecosystem. A compromised or rogue upstream agent could abuse this trust relationship to trigger malicious deployments or destroy active cloud environments.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).