AgentReadyHomeAgent Listing

← Ihor-Sokoliuk/mcp-searxng

Ihor-Sokoliuk/mcp-searxng — agentic threat model

6.3AIVSS 6.3 · Medium

This MCP server acts as a bridge to SearXNG, exposing the consuming agent to significant indirect prompt injection risks from untrusted web search results, though self-hosting mitigates query privacy concerns.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.1AARS uplift 0.9Factor sum 2.3/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.00
Contextual Awareness
0.40
Dynamic Identity
0.10
Multi-Agent Interactions
0.20
Non-Determinism
0.70
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not bundle or define a foundation model; it acts as an external tool for other LLMs, meaning model-level vulnerabilities depend entirely on the consuming agent.

L2 · Data Operations✓ mapped

Aggregated web result content from SearXNG serves as a major prompt-injection surface. Ingesting untrusted, real-time data from the web poses a high risk of indirect prompt injection and data poisoning.

L3 · Agent Frameworks✓ mapped

As an MCP tool server, it integrates directly into agent frameworks. Insecure tool integration or lack of sanitization on the returned search payloads could allow malicious web pages to hijack the calling agent's execution flow.

L4 · Deployment & Infrastructure✓ mapped

Can run locally or against a hosted SearXNG instance. Local deployment requires network access to the SearXNG instance, which could be abused for SSRF or internal network scanning if the query inputs are not properly validated.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, monitoring, or guardrails to filter out malicious search results or detect prompt injection attempts before they reach the LLM.

L6 · Security & Compliance (cross-cutting)✓ mapped

Self-hosting is highlighted as a privacy control to keep queries private. However, the listing does not mention any built-in authentication or authorization mechanisms to restrict who can call the MCP server.

L7 · Agent Ecosystem✓ mapped

Designed to operate within the MCP ecosystem, allowing various agents to leverage search. A compromise or manipulation of the search results can lead to cascading failures across any downstream agents consuming this tool.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).