mcp-google-ads — agentic threat model
The mcp-google-ads agent presents a high data-exposure risk due to its handling of sensitive Google Ads developer tokens and multi-account OAuth credentials, lacking built-in authorization boundaries to prevent unauthorized cross-account querying by orchestrating LLMs.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.70 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not specify a foundation model, but the LLM driving it is vulnerable to prompt injection which could force unauthorized queries across OAuth-linked accounts.
Exposes sensitive Google Ads performance, spend, and keyword data. Risks include data exfiltration of proprietary marketing strategies and search-term analytics via unauthorized queries.
Integrates via Model Context Protocol (MCP). Vulnerable to tool misuse where an orchestrating agent is manipulated into querying unauthorized accounts or leaking OAuth-session data.
Not certain from the listing — Hosting environment is unspecified. If deployed locally or in an un-sandboxed container, the developer token and multi-account OAuth credentials stored in configuration files are vulnerable to local extraction.
Not certain from the listing — No built-in logging, guardrails, or query-limiting mechanisms are mentioned, creating a blind spot for monitoring unauthorized data access or credential abuse.
Relies on Google Ads developer tokens and multi-account OAuth. Lacks explicit authorization boundaries within the MCP session, potentially allowing any connected agent to query any linked account.
Designed for multi-account MCP environments. A compromised agent in the same ecosystem could abuse the trust relationship to silently harvest marketing data across all configured Google Ads accounts.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).