AgentReadyHomeAgent Listing

← Ashby (Composio MCP)

Ashby (Composio MCP) — agentic threat model

7.5AIVSS 7.5 · High

Ashby (Composio MCP) exposes sensitive candidate PII and recruiting pipeline write operations via MCP tools, presenting a high-impact target for data exfiltration and unauthorized pipeline manipulation if the orchestrating LLM is compromised.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.1AARS uplift 0.72Factor sum 3.6/10Threat ×1.05Mitigation ×0.85
Autonomy of Action
0.60
Goal-Driven Planning
0.50
Self-Modification
0.00
Dynamic Tool Use
0.70
Persistent Memory
0.20
Contextual Awareness
0.40
Dynamic Identity
0.30
Multi-Agent Interactions
0.20
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation model is not specified as this is an MCP tool wrapper; however, the model remains vulnerable to prompt injection attacks that could force unauthorized tool execution.

L2 · Data Operations✓ mapped

Data operations involve querying and writing candidate PII, application details, and job pipeline data. The primary threat is data exfiltration of sensitive HR records and unauthorized modification of candidate profiles.

L3 · Agent Frameworks✓ mapped

The agent framework layer relies on Composio's MCP integration. Threats include tool misuse where an LLM is manipulated into executing write operations (e.g., changing interview stages or creating fake candidates) without explicit user consent.

L4 · Deployment & Infrastructure✓ mapped

Deployment relies on Composio to manage and host the Ashby API keys. The primary infrastructure threat is the exposure or compromise of these managed API keys within the Composio environment.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in evaluation, logging, or real-time guardrails to monitor and block anomalous API requests or prompt injection attempts targeting the Ashby tools.

L6 · Security & Compliance (cross-cutting)✓ mapped

Security and compliance are heavily dependent on Composio's authentication handling. While Composio manages the OAuth/API key lifecycle, fine-grained authorization controls (limiting read vs. write access to Ashby) are not detailed.

L7 · Agent Ecosystem✓ mapped

In an ecosystem context, if this MCP tool is exposed to a multi-agent system, other untrusted or compromised agents could interact with the Ashby tools to silently harvest candidate PII or disrupt hiring pipelines.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).