AgentReadyHomeAgent Listing

← Evolution API MCP Server

Evolution API MCP Server — agentic threat model

8.8AIVSS 8.8 · High

The Evolution API MCP Server exposes extensive WhatsApp control capabilities, creating a high-risk vector where prompt injection can lead to automated spam, phishing, and unauthorized group management via real-world communication channels.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.76Factor sum 4.8/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.60
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.70
Multi-Agent Interactions
0.30
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not bundle a specific foundation model, but acts as a tool provider for external LLMs. The primary threat is that the host LLM is vulnerable to prompt injection, which could trick it into executing malicious WhatsApp actions via the exposed tools.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The server manages WhatsApp chats, messages, and profiles, but does not explicitly mention a vector database or RAG pipeline. The primary data risk is the exfiltration of sensitive chat histories and contact lists through the 121 exposed tools.

L3 · Agent Frameworks✓ mapped

The server exposes 121 highly sensitive tools for WhatsApp interaction (messages, groups, webhooks). The primary threat is insecure tool integration and tool misuse, where an LLM client can be manipulated into sending unauthorized messages, modifying group settings, or creating malicious webhooks.

L4 · Deployment & Infrastructure✓ mapped

The server relies on an EVOLUTION_API_KEY for authentication. If this key is compromised or insecurely stored in the environment, attackers gain full control over the associated WhatsApp instances. Sandboxing of the MCP server process is critical to prevent lateral movement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, logging, or anomaly detection. Without external monitoring, malicious or accidental bulk messaging and webhook modifications could go unnoticed until account suspension occurs.

L6 · Security & Compliance (cross-cutting)✓ mapped

The server supports a configurable tool subset, which is a vital compliance and authorization control to limit the attack surface. However, it lacks fine-grained user-level authorization, meaning any client with access to the MCP server can invoke any enabled tool.

L7 · Agent Ecosystem✓ mapped

As an MCP server, this agent is designed to be integrated into broader multi-agent workflows. A compromised or rogue agent in the same ecosystem could abuse the trust relationship to send spam or exfiltrate data via the WhatsApp tools without human intervention.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).