AgentReadyHomeAgent Listing

← Apollo (Composio MCP)

Apollo (Composio MCP) — agentic threat model

7.5AIVSS 7.5 · High

Apollo (Composio MCP) exposes sensitive PII search and enrichment capabilities to LLMs, presenting a high risk of automated bulk data exfiltration and compliance violations if the agent is manipulated via prompt injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.84Factor sum 3.2/10Threat ×1.05Mitigation ×0.9
Autonomy of Action
0.40
Goal-Driven Planning
0.30
Self-Modification
0.00
Dynamic Tool Use
0.60
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.30
Multi-Agent Interactions
0.20
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent relies on external LLMs via the Model Context Protocol (MCP). The primary risk is indirect prompt injection where malicious data retrieved from Apollo's search results influences the model's subsequent instructions.

L2 · Data Operations✓ mapped

The agent acts as a conduit for bulk PII (emails, phone numbers, company data). Risks include data exfiltration, scraping of proprietary contact databases, and violation of privacy regulations (GDPR/CCPA) through automated querying.

L3 · Agent Frameworks✓ mapped

Utilizes Composio's MCP framework to expose Apollo API tools. Vulnerabilities include insecure tool integration where an LLM can be manipulated into executing unauthorized bulk searches or exhausting API quotas.

L4 · Deployment & Infrastructure✓ mapped

Composio manages the authentication and hosts the connection. The primary risk is the exposure or leakage of the managed Apollo API key or Composio integration tokens.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in rate limiting, anomaly detection for bulk queries, or logging of LLM-to-tool interactions to prevent automated harvesting of contact records.

L6 · Security & Compliance (cross-cutting)✓ mapped

Composio handles authentication, which provides some centralized access control. However, compliance risks remain high due to the ease of extracting and processing PII without explicit user consent or audit trails.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent can be chained with other agents (e.g., auto-dialers or email spammers), creating cascading risks where compromised upstream agents abuse Apollo tools for targeted social engineering.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).