Kiwi.com Flights MCP — agentic threat model
The Kiwi.com Flights MCP is a read-only travel search connector with low agentic risk, primarily acting as an informational tool, though it requires secure API key management and validation of its outputs to prevent downstream financial or booking errors.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The connector relies on external host LLMs to parse user intent into flight search parameters. Threats include prompt injection manipulating search filters or causing the model to misinterpret pricing data.
The tool acts as a gateway to Kiwi.com's real-time travel inventory. Main threats involve data integrity, where manipulated or poisoned API responses could steer downstream booking systems toward incorrect or malicious routes.
The agent framework orchestrates tool calls to Kiwi's endpoints. Risks include insecure tool integration, where unvalidated user inputs are passed directly to the flight search API, potentially causing injection vulnerabilities or API abuse.
Not certain from the listing — The MCP server requires hosting and secure storage of Kiwi.com API credentials. Compromise of this layer could lead to API key theft or unauthorized access to the hosting environment.
Not certain from the listing — There is no mention of built-in logging, rate-limiting, or validation guardrails to monitor API usage patterns or detect anomalous query volumes.
The primary security control is the management of the Kiwi.com API key. Access controls must ensure only authorized users or parent agents can invoke this connector to prevent quota exhaustion or unauthorized data scraping.
As an MCP tool, this agent is designed to be called by other orchestrator agents. A compromised orchestrator could abuse this tool for denial-of-service on the API, or use its flight data to feed malicious downstream booking workflows.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).