Ashby (Composio MCP) — agentic threat model
Ashby (Composio MCP) exposes sensitive candidate PII and recruiting pipeline write operations via MCP tools, presenting a high-impact target for data exfiltration and unauthorized pipeline manipulation if the orchestrating LLM is compromised.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is not specified as this is an MCP tool wrapper; however, the model remains vulnerable to prompt injection attacks that could force unauthorized tool execution.
Data operations involve querying and writing candidate PII, application details, and job pipeline data. The primary threat is data exfiltration of sensitive HR records and unauthorized modification of candidate profiles.
The agent framework layer relies on Composio's MCP integration. Threats include tool misuse where an LLM is manipulated into executing write operations (e.g., changing interview stages or creating fake candidates) without explicit user consent.
Deployment relies on Composio to manage and host the Ashby API keys. The primary infrastructure threat is the exposure or compromise of these managed API keys within the Composio environment.
Not certain from the listing — There is no mention of built-in evaluation, logging, or real-time guardrails to monitor and block anomalous API requests or prompt injection attempts targeting the Ashby tools.
Security and compliance are heavily dependent on Composio's authentication handling. While Composio manages the OAuth/API key lifecycle, fine-grained authorization controls (limiting read vs. write access to Ashby) are not detailed.
In an ecosystem context, if this MCP tool is exposed to a multi-agent system, other untrusted or compromised agents could interact with the Ashby tools to silently harvest candidate PII or disrupt hiring pipelines.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).