AgentReadyHomeAgent Listing

← OfficeMCP

OfficeMCP — agentic threat model

9.0AIVSS 9.0 · Critical

OfficeMCP presents a high-risk profile due to its direct integration with Microsoft 365 via delegated OAuth, allowing natural-language execution of actions like sending emails, modifying calendars, and accessing OneDrive files, which makes it highly susceptible to indirect prompt injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.67Factor sum 5.1/10Threat ×1.1Mitigation ×0.95
Autonomy of Action
0.70
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.30
Contextual Awareness
0.60
Dynamic Identity
0.80
Multi-Agent Interactions
0.40
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — OfficeMCP acts as an MCP server and does not specify its underlying foundation model. The primary threat is model reprogramming or jailbreaking via malicious emails or documents processed by the model.

L2 · Data Operations✓ mapped

Directly accesses OneDrive, SharePoint, and Mail. The primary threat is data exfiltration or knowledge-base poisoning where an attacker places a malicious file in SharePoint to hijack the agent's context during retrieval.

L3 · Agent Frameworks✓ mapped

Exposes powerful tools for Mail, Calendar, and Teams. Insecure tool integration is a critical threat, as indirect prompt injections from incoming emails or chats can trigger unauthorized tool execution (e.g., sending emails or deleting files).

L4 · Deployment & Infrastructure✓ mapped

Operates as a remote MCP server. Threats include insecure storage of OAuth tokens, lack of transport layer security, and potential host compromise if the MCP server process is not properly sandboxed.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in guardrails, logging, or transaction monitoring to detect anomalous Microsoft Graph API calls or prompt injection attempts.

L6 · Security & Compliance (cross-cutting)✓ mapped

Uses delegated OAuth to Microsoft Graph. While this limits actions to the user's scope, the lack of explicit human-in-the-loop (HITL) confirmation for sensitive actions (like sending emails or sharing files) poses a major compliance and security risk.

L7 · Agent Ecosystem✓ mapped

As an MCP server, it is designed to be called by other host agents. This introduces significant multi-agent trust abuse risks, where a compromised host agent can abuse OfficeMCP's delegated authority to exfiltrate enterprise data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).