Kagi Search — agentic threat model
The Kagi Search MCP server presents a moderate security risk primarily driven by indirect prompt injection via ingested web content and the potential exposure of its paid API key. Its role as a multi-agent utility increases the blast radius of any successful exploitation to downstream orchestrators.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.80 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Uses FastGPT for summarization. Vulnerable to indirect prompt injection and adversarial reprogramming via untrusted web content ingested during search operations.
Ingests live web content dynamically. Highly vulnerable to data poisoning and indirect prompt injection embedded in third-party web pages.
Acts as an MCP tool provider. Vulnerable to tool misuse if the calling agent is compromised or manipulated into executing malicious search queries.
Not certain from the listing — The deployment environment of the MCP server is unspecified, but it carries a paid Kagi API key which is vulnerable to exposure or theft if secrets management is weak.
Not certain from the listing — There are no details regarding logging, monitoring, or guardrails to detect malicious payloads or anomalous query volumes.
Not certain from the listing — No compliance certifications or authorization policies are detailed beyond the requirement of a paid API key.
Designed specifically for multi-agent ecosystems (MCP). A compromise or manipulation of this server can lead to cascading failures and trust abuse in downstream client agents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).