terraform — agentic threat model
The Terraform MCP server plugin introduces significant agentic risk due to its ability to automate cloud infrastructure provisioning and modification, potentially leading to unauthorized resource destruction or privilege escalation if manipulated by an adversarial LLM.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing describes an MCP server plugin wrapping Terraform, but does not specify the underlying LLM/foundation model used to drive it.
Not certain from the listing — The listing mentions registry and provider integration, but does not detail how training data, RAG, or vector stores are managed for this plugin.
The agent acts as an MCP (Model Context Protocol) server exposing Terraform registry and provider tooling. Threats include tool misuse (e.g., executing destructive Terraform plans, resource deletion) and insecure tool integration.
Not certain from the listing — While it interacts with cloud infrastructure via Terraform, the hosting, sandboxing, and secrets management of the MCP server itself are not detailed in the listing.
Not certain from the listing — No monitoring, logging, or guardrails are mentioned in the public directory listing.
Not certain from the listing — No specific identity, authorization, policy enforcement, or compliance controls are detailed for this plugin.
Exposes an MCP server for integration into broader agentic workflows (multi-agent or client-agent ecosystems). Threats include A2A trust abuse where another agent triggers destructive IaC actions through this server.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).