AgentReadyHomeAgent Listing

← Tigris MCP Server

Tigris MCP Server — agentic threat model

9.2AIVSS 9.2 · Critical

The Tigris MCP Server exposes S3-compatible object storage operations directly to LLMs, presenting a high-risk vector for unauthorized data exfiltration, deletion, or credential exposure if the agent is manipulated via prompt injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.6AARS uplift 0.65Factor sum 4.4/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.40
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.70
Multi-Agent Interactions
0.30
Non-Determinism
0.40
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the MCP server itself does not specify a foundation model, but any connected LLM is highly vulnerable to prompt injection attacks that could trick the model into executing unauthorized bucket or object operations.

L2 · Data Operations✓ mapped

Directly manages S3-compatible object storage. The primary threat is data exfiltration, unauthorized object modification, or complete deletion of buckets and objects via malicious tool calls.

L3 · Agent Frameworks✓ mapped

Exposes powerful bucket and object management tools to the Model Context Protocol (MCP). Vulnerable to tool misuse where an LLM is manipulated into executing destructive storage commands without proper validation.

L4 · Deployment & Infrastructure✓ mapped

Requires storage of Tigris/S3 credentials. If the hosting environment or the MCP host process is compromised, these high-value credentials could be leaked, leading to full cloud storage compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in logging, audit trails, or guardrails to monitor and intercept anomalous or destructive object storage operations initiated by the agent.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies on Tigris/S3 credential authentication. A critical threat is the lack of fine-grained authorization (IAM) policies, potentially granting the agent broad read/write/delete permissions instead of least-privilege access.

L7 · Agent Ecosystem✓ mapped

In a multi-agent or marketplace setup, other compromised or untrusted agents could interact with this MCP server to read sensitive data or write malicious payloads into the object store.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).