AgentReadyHomeAgent Listing

← Exa MCP Server

Exa MCP Server — agentic threat model

7.8AIVSS 7.8 · High

The Exa MCP Server acts as a high-exposure vector for indirect prompt injection and sensitive data leakage due to its core function of feeding live, untrusted web and code content directly into LLMs. Its risk is primarily driven by the lack of input sanitization on retrieved content and the potential for outbound queries to expose proprietary context.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.8AARS uplift 0.99Factor sum 3.1/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.70
Dynamic Identity
0.00
Multi-Agent Interactions
0.50
Non-Determinism
0.60
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The Exa MCP server itself does not host the foundation model but feeds retrieved web content into an external LLM. The primary threat is downstream indirect prompt injection via the retrieved web/code snippets.

L2 · Data Operations✓ mapped

Exa performs real-time web crawling and embeddings-based search. Threats include data poisoning of the search index (adversaries hosting malicious content to inject prompts) and data exfiltration/leakage of sensitive search queries to Exa's API.

L3 · Agent Frameworks✓ mapped

As an MCP server, it exposes tools (search, crawl, code-context) to an orchestrating agent. Threats include insecure tool integration, where the orchestrator blindly trusts Exa's output, leading to remote code execution or tool misuse if the retrieved content contains malicious instructions.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment model (local MCP process vs. hosted) is not detailed. If run locally, it requires network access to Exa's API, risking local credential exposure (API keys) and potential SSRF if the crawler can be coerced into querying internal network resources.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, content filtering, or logging of queries/retrieved content to detect prompt injection or sensitive data leakage before it reaches the LLM.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Access control relies on Exa API keys. Compliance risks include potential GDPR/CCPA violations when crawling and processing personal data from the live web, and lack of data loss prevention (DLP) for outbound queries.

L7 · Agent Ecosystem✓ mapped

Exa acts as a utility agent/tool within the MCP ecosystem. A compromised or manipulated Exa search result can propagate malicious payloads (indirect prompt injection) to other connected agents in a multi-agent workflow, causing cascading failures.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).