Brave Search MCP — agentic threat model
The Brave Search MCP connector acts as a gateway to external web data, introducing risks of indirect prompt injection from untrusted search results and credential theft of the user's API token.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the connector itself does not define the foundation model, but the consuming LLM is highly vulnerable to indirect prompt injection via untrusted search results returned by this tool.
Consumes untrusted result text and snippets from Brave's external index, exposing the consuming agent to data poisoning and malicious payloads embedded in web content.
Integrates as an MCP tool. Vulnerable to tool misuse if the orchestrating framework fails to sanitize search queries or blindly executes actions based on returned URLs and snippets.
Requires a bring-your-own Brave Search API token. Secure storage of this credential is a primary infrastructure risk, as exposure would allow unauthorized API consumption.
Not certain from the listing — no built-in logging, guardrails, or anomaly detection are described; monitoring of search queries and API usage must be handled entirely by the host platform.
Security relies on the user's API token limits and the host platform's execution policies. No native access controls or compliance certifications are specified in the listing.
Designed for the MCP ecosystem, allowing other agents to invoke search. A compromised agent in the ecosystem could abuse this tool to perform reconnaissance or exfiltrate data via search queries.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).