AgentReadyHomeAgent Listing

← Vercel MCP Server

Vercel MCP Server — agentic threat model

8.8AIVSS 8.8 · High

The Vercel MCP Server introduces high agentic risk due to its integration with OAuth-scoped deployment and project environments, potentially allowing malicious actors to exfiltrate sensitive build logs or manipulate production infrastructure.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.79Factor sum 5.0/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.60
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.70
Dynamic Identity
0.80
Multi-Agent Interactions
0.40
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the MCP server relies on external client-side LLMs to drive tool execution; however, model-level vulnerabilities like prompt injection could force the model to execute unauthorized Vercel API calls.

L2 · Data Operations✓ mapped

The agent accesses deployment logs and environment variables which may carry highly sensitive build data, secrets, and proprietary source code, making data exfiltration a primary threat.

L3 · Agent Frameworks✓ mapped

Exposes powerful tools for querying projects, deployments, and performing account operations. Insecure tool integration or lack of strict input validation on the client framework side could lead to tool misuse.

L4 · Deployment & Infrastructure✓ mapped

The MCP server acts as a bridge to Vercel's cloud infrastructure. Compromise of the hosting environment or the MCP communication channel could expose active deployment environments and Vercel API tokens.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in guardrails, evaluation frameworks, or anomaly detection to monitor and block suspicious Vercel API requests generated by the agent.

L6 · Security & Compliance (cross-cutting)✓ mapped

OAuth remote access and scope management are critical. Insufficiently scoped OAuth tokens or lack of fine-grained authorization controls could allow the agent to perform destructive account-level operations.

L7 · Agent Ecosystem✓ mapped

As an MCP server, this agent is designed to be called by other host agents. This introduces cascading risks where a compromised orchestrator agent can abuse the Vercel MCP tools to compromise production pipelines.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).