Calendly (Composio MCP) — agentic threat model
This agent exposes Calendly scheduling and invitee PII via MCP tools, presenting moderate risk primarily around unauthorized data exposure and calendar manipulation if hijacked by an untrusted LLM.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent relies on external LLMs hosting the MCP client. The primary threat is prompt injection hijacking the model to execute unauthorized Calendly tool calls.
The agent handles sensitive invitee PII, scheduling data, and availability queries. The primary threat is data exfiltration of calendar details and contact information via malicious tool execution.
Exposes Calendly API endpoints as MCP tools. Threat includes tool misuse where an LLM is tricked into canceling events, modifying availability, or leaking invitee lists.
Composio hosts the integration infrastructure and manages the OAuth connection. Threat includes potential compromise of the Composio platform leading to credential leakage or lateral movement.
Not certain from the listing — There is no explicit mention of logging, audit trails, or guardrails to monitor and detect anomalous scheduling queries or bulk data exports.
Authentication is managed via Calendly OAuth handled by Composio. Security relies heavily on the scopes granted during OAuth authorization and token storage security.
As an MCP tool, this agent can be composed into multi-agent workflows, introducing risks of cascading failures or unauthorized data sharing if chained with untrusted agents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).