AgentReadyHomeAgent Listing

← Vizro MCP

Vizro MCP — agentic threat model

8.7AIVSS 8.7 · High

Vizro MCP presents a moderate-to-high risk profile primarily due to its capability to generate Python code and configurations from natural language inputs. The primary security boundary lies in the sandboxing of the runtime environment (such as PyCafe or local servers) where the generated dashboard code is executed.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.32Factor sum 2.7/10Threat ×1.0Mitigation ×0.95
Autonomy of Action
0.30
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.30
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.10
Multi-Agent Interactions
0.10
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on the host client's configured LLM (e.g., Claude via MCP). It is vulnerable to prompt injection attacks that could manipulate the generated Python or configuration code.

L2 · Data Operations✓ mapped

Reads supplied datasets to generate visualizations. Vulnerable to data poisoning or malicious datasets designed to exploit parsing vulnerabilities or manipulate the generated code structure.

L3 · Agent Frameworks✓ mapped

Uses the Model Context Protocol (MCP) to expose tools for dashboard generation and config validation. Tool misuse could occur if the agent is tricked into generating malicious Python code that is subsequently executed.

L4 · Deployment & Infrastructure✓ mapped

Generated code executes in the dashboard runtime (e.g., PyCafe or local Vizro instance). If this runtime environment is not strictly sandboxed, it poses a severe risk of remote code execution (RCE) on the host system.

L5 · Evaluation & Observability✓ mapped

Includes configuration validation to check dashboard structures, but lacks explicit security-focused guardrails to detect malicious code generation or unauthorized data access attempts.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — as an open-source MCP server, security controls such as authentication, authorization, and audit logging are largely delegated to the host client and deployment environment.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — designed as a specialized MCP tool, which could be integrated into larger multi-agent workflows, but does not natively coordinate with other agents out-of-the-box.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).