Instagram DMs MCP — agentic threat model
The Instagram DMs MCP agent presents a high-risk profile due to its direct custody of personal social media credentials combined with LLM-driven messaging capabilities, creating a significant surface for automated spam, account suspension, and social engineering.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.90 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.80 | |
| Opacity & Reflexivity | 0.70 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on external LLMs via the Model Context Protocol (MCP). The primary threat is model reprogramming or prompt injection, which could force the LLM to send malicious links or abusive messages to Instagram contacts.
Not certain from the listing — the agent primarily acts as a transactional messaging tool. However, any local history or message logs stored to provide context to the LLM represent a data exposure risk if not properly encrypted.
The agent framework exposes a highly sensitive tool (sending Instagram DMs) directly to LLM orchestration. Insecure tool integration or lack of strict input validation could allow an LLM to bypass user intent and send unauthorized messages.
Not certain from the listing — as an MCP server, it likely runs locally on the user's machine or in a container. The primary threat is the insecure storage of Instagram session cookies, credentials, or API tokens on the host system.
Not certain from the listing — there are no mentioned guardrails, rate-limiting, or content filtering mechanisms to prevent the agent from triggering Instagram's automated spam detection algorithms.
The agent operates in direct violation of Instagram's Terms of Service regarding automated platform interaction. It lacks built-in identity verification or multi-user authorization controls, meaning anyone with access to the LLM interface can impersonate the account owner.
In an MCP ecosystem, other connected agents could potentially call this tool. A compromised or rogue agent in the same environment could silently abuse this agent to exfiltrate data or spread spam via the user's Instagram account.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).