AgentReadyHomeAgent Listing

← Intercom MCP Server

Intercom MCP Server — agentic threat model

7.3AIVSS 7.3 · High

The Intercom MCP Server exposes highly sensitive customer support conversations, PII, and help-center data via a hosted OAuth remote server, presenting a high-impact target for data exfiltration and unauthorized contact lookup if the orchestrating agent is compromised.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.7AARS uplift 0.85Factor sum 3.5/10Threat ×1.05Mitigation ×0.85
Autonomy of Action
0.40
Goal-Driven Planning
0.30
Self-Modification
0.00
Dynamic Tool Use
0.60
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.70
Multi-Agent Interactions
0.10
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The foundation model is not specified as this is an MCP server designed to plug into external LLMs. The primary L1 risk is that an external model's susceptibility to prompt injection could force the server to execute unauthorized searches or exfiltrate conversation histories.

L2 · Data Operations✓ mapped

Data operations involve querying live customer support conversations, contacts, companies, and help-center content. The primary threat is data exfiltration of PII contained within these conversations, as well as potential knowledge-base poisoning if help-center content can be modified (though the listing only specifies 'queries').

L3 · Agent Frameworks✓ mapped

The MCP framework exposes tools for searching and reading conversations and looking up contacts. Insecure tool integration or lack of strict input validation on the client side could allow attackers to craft malicious queries that bypass intended organizational boundaries.

L4 · Deployment & Infrastructure✓ mapped

The server is hosted remotely at mcp.intercom.com. Infrastructure threats include potential compromise of this hosted endpoint, exposure of the OAuth client secrets, or man-in-the-middle attacks on the transit of sensitive customer support data.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, auditing, or guardrails to monitor query volume or detect anomalous data harvesting patterns by connected agents.

L6 · Security & Compliance (cross-cutting)✓ mapped

Security is anchored on OAuth authentication to govern access scopes. However, because customer conversations contain PII, strict output handling, token lifecycle management, and compliance with privacy regulations (GDPR/CCPA) are critical and must be enforced at the integration boundary.

L7 · Agent Ecosystem✓ mapped

As an MCP server, this component is designed to be consumed by other agents. The primary ecosystem threat is A2A trust abuse, where a compromised orchestrator agent or a malicious downstream agent in a multi-agent workflow gains unauthorized access to the Intercom data stream.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).