AgentReadyHomeAgent Listing

← Calendly (Composio MCP)

Calendly (Composio MCP) — agentic threat model

6.4AIVSS 6.4 · Medium

This agent exposes Calendly scheduling and invitee PII via MCP tools, presenting moderate risk primarily around unauthorized data exposure and calendar manipulation if hijacked by an untrusted LLM.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.3AARS uplift 1.26Factor sum 3.4/10Threat ×1.0Mitigation ×0.85
Autonomy of Action
0.40
Goal-Driven Planning
0.30
Self-Modification
0.00
Dynamic Tool Use
0.50
Persistent Memory
0.20
Contextual Awareness
0.40
Dynamic Identity
0.60
Multi-Agent Interactions
0.30
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent relies on external LLMs hosting the MCP client. The primary threat is prompt injection hijacking the model to execute unauthorized Calendly tool calls.

L2 · Data Operations✓ mapped

The agent handles sensitive invitee PII, scheduling data, and availability queries. The primary threat is data exfiltration of calendar details and contact information via malicious tool execution.

L3 · Agent Frameworks✓ mapped

Exposes Calendly API endpoints as MCP tools. Threat includes tool misuse where an LLM is tricked into canceling events, modifying availability, or leaking invitee lists.

L4 · Deployment & Infrastructure✓ mapped

Composio hosts the integration infrastructure and manages the OAuth connection. Threat includes potential compromise of the Composio platform leading to credential leakage or lateral movement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no explicit mention of logging, audit trails, or guardrails to monitor and detect anomalous scheduling queries or bulk data exports.

L6 · Security & Compliance (cross-cutting)✓ mapped

Authentication is managed via Calendly OAuth handled by Composio. Security relies heavily on the scopes granted during OAuth authorization and token storage security.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent can be composed into multi-agent workflows, introducing risks of cascading failures or unauthorized data sharing if chained with untrusted agents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).