AgentReadyHomeAgent Listing

← Perplexity Ask MCP Server

Perplexity Ask MCP Server — agentic threat model

7.0AIVSS 7.0 · High

The Perplexity Ask MCP Server acts as a bridge for live web-grounded Q&A, introducing a high risk of indirect prompt injection from untrusted external web content into the host client's context window.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.1AARS uplift 1.31Factor sum 3.2/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.10
Contextual Awareness
0.80
Dynamic Identity
0.20
Multi-Agent Interactions
0.40
Non-Determinism
0.70
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Utilizes Perplexity's Sonar models for live web-grounded Q&A. The primary threat is model reprogramming or alignment bypass via adversarial web content retrieved during real-time searches.

L2 · Data Operations✓ mapped

Performs real-time RAG by fetching external web content. Highly vulnerable to data poisoning and indirect prompt injection, as untrusted third-party web pages are ingested directly into the context window.

L3 · Agent Frameworks✓ mapped

Exposes a tool-calling interface via the Model Context Protocol (MCP). Vulnerabilities include insecure tool integration if the host client executes actions based on the injected instructions returned in the search results.

L4 · Deployment & Infrastructure✓ mapped

Requires local or containerized deployment as an MCP server, authenticating via a Perplexity API key. Risks include local credential exposure of the API key if the host environment is compromised.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — likely relies on the host MCP client for logging and monitoring of tool execution, with no explicit mention of built-in guardrails or injection-filtering layers.

L6 · Security & Compliance (cross-cutting)✓ mapped

Implements basic API-key authentication to access the Perplexity Sonar API. Lacks advanced authorization policies, relying on the user to secure the local MCP configuration.

L7 · Agent Ecosystem✓ mapped

Designed to operate within an MCP ecosystem where other agents or clients call this server. A compromise or injection in this server can cascade to other connected agents in the client workspace.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).