AgentWeb — agentic threat model

9.1AIVSS 9.1 · Critical

AgentWeb acts as a high-exposure data provisioning tool and MCP server. Its primary risk lies in supply-chain vulnerability via unauthenticated 'npx' execution and the potential for downstream agents to ingest poisoned search results or malicious booking links.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

CVSS base 8.8AARS uplift 0.33Factor sum 2.5/10Threat ×1.1Mitigation ×1.0

Autonomy of Action		0.20
Goal-Driven Planning		0.10
Self-Modification		0.00
Dynamic Tool Use		0.50
Persistent Memory		0.10
Contextual Awareness		0.40
Dynamic Identity		0.10
Multi-Agent Interactions		0.50
Non-Determinism		0.40
Opacity & Reflexivity		0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — AgentWeb is a data-delivery API and MCP server rather than a foundation model, so direct LLM alignment or model-stealing threats do not apply directly to this component.

L2 · Data Operations✓ mapped

Serves real-time data for 72M+ businesses and travel services. Without clear data provenance or validation mechanisms, it is highly susceptible to data poisoning or serving malicious/phishing URLs disguised as legitimate booking links.

L3 · Agent Frameworks✓ mapped

Integrates directly into agent frameworks via the Model Context Protocol (MCP). Insecure tool integration on the client side could lead to downstream agents executing untrusted actions based on the returned booking links or business websites.

L4 · Deployment & Infrastructure✓ mapped

Presents significant infrastructure risk by encouraging installation via 'npx -y agentweb-mcp'. This introduces supply-chain vulnerabilities, where a compromise of the npm package could lead to remote code execution on the host running the MCP server.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, anomaly detection, or guardrails to monitor queries or detect abusive/malicious payloads passing through the MCP server.

L6 · Security & Compliance (cross-cutting)✓ mapped

Boasts 'no API-key friction' and 'no credit card' requirements. This lack of authentication and identity verification makes it highly vulnerable to abuse, Sybil attacks, and complicates auditability and compliance tracking.

L7 · Agent Ecosystem✓ mapped

Explicitly built for the multi-agent ecosystem. A compromise or denial-of-service of AgentWeb could cause cascading failures across numerous horizontal agent workflows that rely on its real-time travel and business data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).