← Perplexity AI (Composio MCP)
Perplexity AI (Composio MCP) — agentic threat model
This agent acts as an information-retrieval bridge via the Model Context Protocol, presenting moderate risk primarily through downstream injection of untrusted web content and potential exposure of managed API keys.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
The agent relies on external Perplexity models. The primary threat is prompt injection or adversarial content embedded in retrieved web pages that can reprogram the model's output during synthesis.
Data operations involve real-time web scraping and synthesis. There is a high risk of indirect prompt injection and data poisoning from untrusted web sources propagating into the citation-backed answers.
The framework wraps the Perplexity API as MCP tools. Risks include insecure tool integration where malicious user inputs manipulate the query parameters sent to the Perplexity API.
Composio manages the authentication and API keys. The primary threat is the exposure or compromise of the managed Perplexity API keys within the hosting or integration environment.
Not certain from the listing — there is no explicit mention of real-time guardrails, output filtering, or logging of synthesized answers to detect injected malicious payloads before they reach the user.
Composio handles authorization and credential management. Security relies heavily on Composio's IAM policies and the isolation of the connected API keys from unauthorized local MCP clients.
As an MCP tool, this agent is designed to be called by other host agents. A compromised host agent could abuse this tool to exfiltrate data via search queries or be misled by poisoned search results.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).