AgentReadyHomeAgent Listing

← mcp-google-ads

mcp-google-ads — agentic threat model

8.2AIVSS 8.2 · High

The mcp-google-ads agent presents a high data-exposure risk due to its handling of sensitive Google Ads developer tokens and multi-account OAuth credentials, lacking built-in authorization boundaries to prevent unauthorized cross-account querying by orchestrating LLMs.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.7Factor sum 2.8/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.50
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.70
Multi-Agent Interactions
0.20
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not specify a foundation model, but the LLM driving it is vulnerable to prompt injection which could force unauthorized queries across OAuth-linked accounts.

L2 · Data Operations✓ mapped

Exposes sensitive Google Ads performance, spend, and keyword data. Risks include data exfiltration of proprietary marketing strategies and search-term analytics via unauthorized queries.

L3 · Agent Frameworks✓ mapped

Integrates via Model Context Protocol (MCP). Vulnerable to tool misuse where an orchestrating agent is manipulated into querying unauthorized accounts or leaking OAuth-session data.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Hosting environment is unspecified. If deployed locally or in an un-sandboxed container, the developer token and multi-account OAuth credentials stored in configuration files are vulnerable to local extraction.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in logging, guardrails, or query-limiting mechanisms are mentioned, creating a blind spot for monitoring unauthorized data access or credential abuse.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies on Google Ads developer tokens and multi-account OAuth. Lacks explicit authorization boundaries within the MCP session, potentially allowing any connected agent to query any linked account.

L7 · Agent Ecosystem✓ mapped

Designed for multi-account MCP environments. A compromised agent in the same ecosystem could abuse the trust relationship to silently harvest marketing data across all configured Google Ads accounts.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).