AgentReadyHomeAgent Listing

← Meilisearch

Meilisearch — agentic threat model

7.5AIVSS 7.5 · High

The Meilisearch MCP server acts as a direct bridge between LLMs and search indexes, introducing risks of unauthorized index modification and data exfiltration if the agent is manipulated via prompt injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.87Factor sum 3.3/10Threat ×1.05Mitigation ×0.9
Autonomy of Action
0.40
Goal-Driven Planning
0.20
Self-Modification
0.10
Dynamic Tool Use
0.60
Persistent Memory
0.30
Contextual Awareness
0.50
Dynamic Identity
0.20
Multi-Agent Interactions
0.30
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not define the foundation model, but the host LLM is highly vulnerable to prompt injection which can force the agent to execute unintended search queries or index modifications.

L2 · Data Operations✓ mapped

Meilisearch manages full-text and semantic search indexes. Threats include data poisoning of the index, embedding inversion, and unauthorized data exfiltration of sensitive documents returned in search results.

L3 · Agent Frameworks✓ mapped

The MCP server exposes tools for index management and querying. Insecure tool integration or lack of input sanitization on search queries can lead to tool misuse, allowing malicious actors to delete or alter indexes.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment security depends on how the MCP host and Meilisearch instance are sandboxed, but exposed API keys and unencrypted local transport pose significant infrastructure risks.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, query logging, or anomaly detection to monitor for malicious search patterns or unauthorized index modifications.

L6 · Security & Compliance (cross-cutting)✓ mapped

The integration relies on Meilisearch API-key authentication. However, there is a risk of privilege creep if the API key used by the MCP server has administrative write/delete permissions instead of read-only access.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent is designed to be called by other orchestrators or agents, creating a risk of cascading failures or trust abuse if an upstream agent is compromised and requests destructive index actions.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).