AgentReadyHomeAgent Listing

← OneSignal MCP

OneSignal MCP — agentic threat model

9.6AIVSS 9.6 · Critical

The OneSignal MCP agent presents a high-risk profile due to its ability to translate natural language into real-world communication actions (push, SMS, email) with a large blast radius. Without explicit human-in-the-loop controls or robust input sanitization, it is highly vulnerable to prompt injection leading to unauthorized mass messaging.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.3AARS uplift 0.32Factor sum 4.2/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.40
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.10
Contextual Awareness
0.50
Dynamic Identity
0.40
Multi-Agent Interactions
0.20
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not specify the underlying LLM used to parse natural language into OneSignal API calls. Threats include prompt injection leading to unauthorized message broadcasts or segment manipulation.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The listing does not detail how audience data or templates are stored or if a vector database is used. Threats include data exfiltration of audience segments or delivery stats.

L3 · Agent Frameworks✓ mapped

The agent acts as an MCP tool that translates natural language into OneSignal API calls. Insecure tool integration and prompt injection are major threats, as malicious inputs could trick the agent into sending unauthorized broadcasts to real users.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment for the MCP server and how OneSignal API keys are securely stored are not detailed. Threats include credential theft of OneSignal API keys from the environment.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of guardrails, human-in-the-loop (HITL) approval steps, or logging mechanisms to detect anomalous or malicious broadcast requests.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent holds sensitive OneSignal API keys capable of broadcasting to real end-users. There is a lack of explicit authorization policies or access controls mentioned to restrict who can trigger broadcasts.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent can be integrated into larger multi-agent systems. A compromised upstream agent could abuse this tool to send spam or phishing messages to the entire user base.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).