AgentReadyHomeAgent Listing

← Webflow MCP Server

Webflow MCP Server — agentic threat model

8.8AIVSS 8.8 · High

The Webflow MCP Server introduces significant agentic risk by granting LLMs direct write and publish access to live production websites and CMS databases, making unauthorized content modification or site defacement highly plausible if the agent is compromised.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.74Factor sum 4.7/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.70
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.40
Multi-Agent Interactions
0.30
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself is model-agnostic and does not specify a foundation model. However, the underlying model's susceptibility to prompt injection or jailbreaking directly translates to unauthorized Webflow API execution.

L2 · Data Operations✓ mapped

The agent interacts directly with Webflow CMS collections and items as its primary data layer. Risks include data poisoning of CMS content, unauthorized exfiltration of proprietary site structures, and injection of malicious scripts into CMS fields that render on live user-facing sites.

L3 · Agent Frameworks✓ mapped

The agent framework relies on the Model Context Protocol (MCP) to expose tools for listing sites, querying structures, and managing CMS items. The primary threat is tool misuse, where an LLM is tricked into executing destructive tools (like deleting CMS items or publishing unauthorized changes) without explicit confirmation.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment of the MCP server is not specified. If self-hosted or run locally, threats include insecure storage of Webflow OAuth/API tokens in environment variables and potential local privilege escalation if the server process is compromised.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The description notes that 'publish-confirmation' is important but does not detail built-in guardrails, logging, or human-in-the-loop (HITL) enforcement mechanisms within the server itself to monitor or intercept malicious API calls.

L6 · Security & Compliance (cross-cutting)✓ mapped

Authentication is handled via Webflow OAuth or API tokens. The primary risk is a lack of fine-grained authorization (AuthZ) within the MCP server, meaning any model with access to the server inherits the full write/publish permissions of the configured token.

L7 · Agent Ecosystem✓ mapped

In a multi-agent ecosystem, other agents could discover and invoke this MCP server. Without strict access controls, a compromised upstream agent could abuse the Webflow tools to deface websites or inject SEO spam.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).