wecom-msg-audit-mcp — agentic threat model
This agent acts as an extremely high-risk data bridge, decrypting and storing corporate WeChat communications. Its primary risk lies in the potential for unauthorized data exfiltration of cleartext employee chats and the exposure of cryptographic private keys to calling LLMs.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The tool itself does not specify a foundation model, but any LLM interacting with this MCP server could be subject to prompt injection, leading it to leak decrypted chat histories to unauthorized parties.
Critical risk surface. The agent decrypts, stores, and archives (R2/S3) sensitive corporate chat records. Threats include data exfiltration of cleartext logs, unauthorized search queries, and insecure storage of the private keys required for decryption.
The MCP framework integration allows other agents to call search and retrieval tools. If the orchestration layer lacks strict input validation, malicious or compromised agents can abuse these tools to dump entire chat databases.
The agent requires local storage and R2/S3 credentials. Compromise of the host environment would expose the WeCom private keys, corporate secrets, and the locally cached cleartext database.
Not certain from the listing — There is no mention of built-in guardrails, query rate-limiting, or audit logging of the AI's queries against the decrypted chat database.
High compliance and privacy risk (GDPR/PII). The tool processes employee communications in cleartext. The listing does not detail role-based access control (RBAC) or consent management for auditing these records.
As an MCP tool, it is designed to be called by other agents. This creates a significant risk of agent-to-agent trust abuse, where a secondary agent with external internet access could query this agent and exfiltrate corporate secrets.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).