AgentReadyHomeAgent Listing

← AgentQL MCP

AgentQL MCP — agentic threat model

7.4AIVSS 7.4 · High

AgentQL MCP presents a moderate risk profile primarily acting as an ingestion vector for indirect prompt injection, as it fetches and structures untrusted web content for consumption by parent LLMs without built-in sanitization.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.8AARS uplift 0.58Factor sum 1.8/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.10
Persistent Memory
0.00
Contextual Awareness
0.40
Dynamic Identity
0.10
Multi-Agent Interactions
0.30
Non-Determinism
0.40
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not specify the underlying foundation model used by AgentQL's API, but the system is inherently vulnerable to indirect prompt injection and adversarial text embedded in target web pages.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The tool processes real-time web page data and returns structured JSON. There is no explicit mention of vector stores, caching, or training data operations, though untrusted web data ingestion poses a data poisoning risk.

L3 · Agent Frameworks✓ mapped

The tool integrates via the Model Context Protocol (MCP) as an extract-data tool. The primary threat is insecure tool integration where a parent agent blindly trusts the structured JSON output, which may contain injected instructions from untrusted web pages.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The tool relies on the AgentQL API and an API key. The hosting environment, sandboxing of the browser/scraper, and secret management for the API key are not detailed in the listing.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, logging, or drift detection to identify when a web page is attempting to inject malicious payloads into the extracted JSON.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The tool uses an AgentQL API key for authentication, but the listing does not detail broader compliance, access controls, or audit logging mechanisms.

L7 · Agent Ecosystem✓ mapped

The tool is designed for the MCP ecosystem, allowing other agents to call it. This introduces risks of cascading failures or multi-agent trust abuse if a compromised parent agent uses AgentQL to scrape sensitive internal pages or if AgentQL returns poisoned data to the ecosystem.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).