AgentReadyHomeAgent Listing

← Tolgee MCP

Tolgee MCP — agentic threat model

6.7AIVSS 6.7 · Medium

The Tolgee MCP server introduces moderate agentic risk by allowing coding assistants to perform write operations (mutations) on localization projects via API keys. While its scope is limited to translation management, unauthorized key manipulation or prompt injection could lead to widespread content defacement or application-level injection attacks.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.4AARS uplift 1.04Factor sum 2.9/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.40
Goal-Driven Planning
0.30
Self-Modification
0.00
Dynamic Tool Use
0.50
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.20
Multi-Agent Interactions
0.20
Non-Determinism
0.50
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The Tolgee MCP server does not host its own foundation models; it relies on the external coding assistant's LLM. Threats include prompt injection targeting the assistant to abuse the translation tools.

L2 · Data Operations✓ mapped

The agent interacts directly with translation keys and localization data. Risks include data exfiltration of sensitive strings or poisoning of translation databases via malicious machine-translation triggers.

L3 · Agent Frameworks✓ mapped

The MCP server exposes specific tools (search, create, update, trigger MT). Vulnerabilities include tool misuse where an LLM is manipulated into overwriting critical localization keys with malicious payloads.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment of the MCP server itself is unspecified, but it requires secure storage of the Tolgee API key to prevent credential theft and unauthorized project access.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, logging, or anomaly detection to monitor translation mutations or flag suspicious bulk updates.

L6 · Security & Compliance (cross-cutting)✓ mapped

Security relies heavily on the scope of the Tolgee API key used. If a write-enabled key is provided, the agent has the authority to mutate project content, highlighting a need for strict least-privilege access controls.

L7 · Agent Ecosystem✓ mapped

The server integrates directly with coding assistants (e.g., Claude Desktop, Cursor). A compromise in the orchestrating assistant or a malicious multi-agent workflow could result in unauthorized localization changes.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).