OneSignal MCP — agentic threat model
The OneSignal MCP agent presents a high-risk profile due to its ability to translate natural language into real-world communication actions (push, SMS, email) with a large blast radius. Without explicit human-in-the-loop controls or robust input sanitization, it is highly vulnerable to prompt injection leading to unauthorized mass messaging.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing does not specify the underlying LLM used to parse natural language into OneSignal API calls. Threats include prompt injection leading to unauthorized message broadcasts or segment manipulation.
Not certain from the listing — The listing does not detail how audience data or templates are stored or if a vector database is used. Threats include data exfiltration of audience segments or delivery stats.
The agent acts as an MCP tool that translates natural language into OneSignal API calls. Insecure tool integration and prompt injection are major threats, as malicious inputs could trick the agent into sending unauthorized broadcasts to real users.
Not certain from the listing — The hosting environment for the MCP server and how OneSignal API keys are securely stored are not detailed. Threats include credential theft of OneSignal API keys from the environment.
Not certain from the listing — There is no mention of guardrails, human-in-the-loop (HITL) approval steps, or logging mechanisms to detect anomalous or malicious broadcast requests.
The agent holds sensitive OneSignal API keys capable of broadcasting to real end-users. There is a lack of explicit authorization policies or access controls mentioned to restrict who can trigger broadcasts.
As an MCP tool, this agent can be integrated into larger multi-agent systems. A compromised upstream agent could abuse this tool to send spam or phishing messages to the entire user base.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).