Exa MCP Server — agentic threat model
The Exa MCP Server acts as a high-exposure vector for indirect prompt injection and sensitive data leakage due to its core function of feeding live, untrusted web and code content directly into LLMs. Its risk is primarily driven by the lack of input sanitization on retrieved content and the potential for outbound queries to expose proprietary context.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The Exa MCP server itself does not host the foundation model but feeds retrieved web content into an external LLM. The primary threat is downstream indirect prompt injection via the retrieved web/code snippets.
Exa performs real-time web crawling and embeddings-based search. Threats include data poisoning of the search index (adversaries hosting malicious content to inject prompts) and data exfiltration/leakage of sensitive search queries to Exa's API.
As an MCP server, it exposes tools (search, crawl, code-context) to an orchestrating agent. Threats include insecure tool integration, where the orchestrator blindly trusts Exa's output, leading to remote code execution or tool misuse if the retrieved content contains malicious instructions.
Not certain from the listing — The deployment model (local MCP process vs. hosted) is not detailed. If run locally, it requires network access to Exa's API, risking local credential exposure (API keys) and potential SSRF if the crawler can be coerced into querying internal network resources.
Not certain from the listing — There is no mention of built-in guardrails, content filtering, or logging of queries/retrieved content to detect prompt injection or sensitive data leakage before it reaches the LLM.
Not certain from the listing — Access control relies on Exa API keys. Compliance risks include potential GDPR/CCPA violations when crawling and processing personal data from the live web, and lack of data loss prevention (DLP) for outbound queries.
Exa acts as a utility agent/tool within the MCP ecosystem. A compromised or manipulated Exa search result can propagate malicious payloads (indirect prompt injection) to other connected agents in a multi-agent workflow, causing cascading failures.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).