Google Flights MCP (fli) — agentic threat model
The Google Flights MCP is a read-only search connector with low direct risk, but its output must be treated as untrusted to prevent downstream manipulation of booking agents.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.10 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.10 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The connector itself does not bundle a foundation model, but downstream LLMs invoking this tool are vulnerable to indirect prompt injection if scraped flight data contains malicious instructions.
Data operations involve querying and scraping Google Flights. Threats include data poisoning or manipulation of the scraped flight/route data, which could lead downstream systems to make incorrect financial decisions.
As an MCP tool, insecure integration is a key threat. Downstream frameworks may fail to sanitize the returned flight data, treating untrusted external pricing and route information as safe inputs.
Not certain from the listing — The hosting environment of the MCP server is unspecified. Threats include unauthorized local/network access to the MCP port and potential dependency vulnerabilities in the scraping stack.
Not certain from the listing — There is no mention of built-in logging, rate-limiting, or query guardrails, which could lead to undetected scraping abuse or IP blocking by Google Flights.
Not certain from the listing — No authentication, authorization, or compliance controls are described for this open-source connector, meaning access control must be managed entirely by the parent framework.
In a multi-agent ecosystem, this tool acts as an information provider. A compromise or manipulation of its output can cause cascading failures in downstream booking or transactional agents that rely on its flight data.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).