Ihor-Sokoliuk/mcp-searxng — agentic threat model
This MCP server acts as a bridge to SearXNG, exposing the consuming agent to significant indirect prompt injection risks from untrusted web search results, though self-hosting mitigates query privacy concerns.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not bundle or define a foundation model; it acts as an external tool for other LLMs, meaning model-level vulnerabilities depend entirely on the consuming agent.
Aggregated web result content from SearXNG serves as a major prompt-injection surface. Ingesting untrusted, real-time data from the web poses a high risk of indirect prompt injection and data poisoning.
As an MCP tool server, it integrates directly into agent frameworks. Insecure tool integration or lack of sanitization on the returned search payloads could allow malicious web pages to hijack the calling agent's execution flow.
Can run locally or against a hosted SearXNG instance. Local deployment requires network access to the SearXNG instance, which could be abused for SSRF or internal network scanning if the query inputs are not properly validated.
Not certain from the listing — There is no mention of built-in logging, monitoring, or guardrails to filter out malicious search results or detect prompt injection attempts before they reach the LLM.
Self-hosting is highlighted as a privacy control to keep queries private. However, the listing does not mention any built-in authentication or authorization mechanisms to restrict who can call the MCP server.
Designed to operate within the MCP ecosystem, allowing various agents to leverage search. A compromise or manipulation of the search results can lead to cascading failures across any downstream agents consuming this tool.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).