AgentQL MCP — agentic threat model
AgentQL MCP presents a moderate risk profile primarily acting as an ingestion vector for indirect prompt injection, as it fetches and structures untrusted web content for consumption by parent LLMs without built-in sanitization.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.10 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing does not specify the underlying foundation model used by AgentQL's API, but the system is inherently vulnerable to indirect prompt injection and adversarial text embedded in target web pages.
Not certain from the listing — The tool processes real-time web page data and returns structured JSON. There is no explicit mention of vector stores, caching, or training data operations, though untrusted web data ingestion poses a data poisoning risk.
The tool integrates via the Model Context Protocol (MCP) as an extract-data tool. The primary threat is insecure tool integration where a parent agent blindly trusts the structured JSON output, which may contain injected instructions from untrusted web pages.
Not certain from the listing — The tool relies on the AgentQL API and an API key. The hosting environment, sandboxing of the browser/scraper, and secret management for the API key are not detailed in the listing.
Not certain from the listing — There is no mention of built-in guardrails, logging, or drift detection to identify when a web page is attempting to inject malicious payloads into the extracted JSON.
Not certain from the listing — The tool uses an AgentQL API key for authentication, but the listing does not detail broader compliance, access controls, or audit logging mechanisms.
The tool is designed for the MCP ecosystem, allowing other agents to call it. This introduces risks of cascading failures or multi-agent trust abuse if a compromised parent agent uses AgentQL to scrape sensitive internal pages or if AgentQL returns poisoned data to the ecosystem.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).