AgentReadyHomeAgent Listing

← Gmail MCP

Gmail MCP — agentic threat model

8.6AIVSS 8.6 · High

The Gmail MCP agent possesses high-risk capabilities due to its broad OAuth access to read, send, and delete emails, making it highly susceptible to indirect prompt injection via incoming messages or attachments.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.77Factor sum 5.8/10Threat ×1.1Mitigation ×0.9
Autonomy of Action
0.80
Goal-Driven Planning
0.60
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.30
Contextual Awareness
0.70
Dynamic Identity
0.80
Multi-Agent Interactions
0.40
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation model is not specified, but the system is highly vulnerable to indirect prompt injection and adversarial reprogramming via untrusted incoming email content and attachments.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No specific vector database or RAG pipeline is detailed, but the agent directly accesses and parses sensitive user data including email bodies, attachments, and contact lists.

L3 · Agent Frameworks✓ mapped

The agent utilizes the Model Context Protocol (MCP) to orchestrate sensitive tool calls (sending, drafting, deleting, and searching emails). A hijacked tool execution flow due to prompt injection could lead to unauthorized bulk actions.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting infrastructure, execution environment, and sandboxing of attachment parsers are not described, though the agent operates with high-privilege OAuth tokens.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in evaluation, logging, or guardrails to detect anomalous behavior such as sudden bulk deletions or unauthorized email forwarding.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent relies on broad OAuth mail scopes for authorization. It lacks native policy enforcement or mandatory human-in-the-loop (HITL) controls, shifting the security burden of scope minimization to the user.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent is designed to be called by other agents or clients. A compromise in an upstream orchestrator or a malicious multi-agent interaction could result in cascading unauthorized access to the user's entire mailbox.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).