AgentReadyHomeAgent Listing

← Tiberriver256/mcp-server-azure-devops

Tiberriver256/mcp-server-azure-devops — agentic threat model

9.7AIVSS 9.7 · Critical

This Azure DevOps MCP server presents a high-risk agentic profile due to its direct write access to source code repositories, CI/CD pipelines, and work items, making it a prime target for automated supply chain attacks and credential theft.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.3AARS uplift 0.44Factor sum 5.7/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.80
Multi-Agent Interactions
0.40
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying LLM is not specified as this is an MCP server. However, model reprogramming or adversarial prompt injection could force the agent to execute unauthorized pipeline runs or modify source code maliciously.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No specific vector database or RAG architecture is defined. However, the agent reads from Azure Repos and Boards, meaning sensitive data, secrets, or intellectual property could be exfiltrated via the context window.

L3 · Agent Frameworks✓ mapped

The agent framework layer is highly critical here; insecure tool integration or lack of strict validation on tool arguments allows an LLM to misuse Azure DevOps APIs, potentially deleting repositories, altering branch policies, or injecting malicious code.

L4 · Deployment & Infrastructure✓ mapped

The security surface relies heavily on Personal Access Token (PAT) scopes and credential handling. If the hosting environment is compromised, these high-privilege Azure DevOps credentials can be stolen, leading to lateral movement into enterprise infrastructure.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There are no mentioned logging, auditing, or guardrail mechanisms to monitor the agent's API calls to Azure DevOps, creating a significant blind spot for detecting unauthorized modifications.

L6 · Security & Compliance (cross-cutting)✓ mapped

Identity and authorization are critical cross-cutting concerns. The agent operates using the permissions of the provided PAT; if the PAT is over-privileged, the agent inherits excessive authority without fine-grained, policy-based access controls.

L7 · Agent Ecosystem✓ mapped

In a multi-agent ecosystem, another compromised or rogue agent could interact with this Azure DevOps agent, tricking it into committing malicious code or triggering pipelines, leading to cascading supply chain failures.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).