Perplexity Ask MCP Server — agentic threat model
The Perplexity Ask MCP Server acts as a bridge for live web-grounded Q&A, introducing a high risk of indirect prompt injection from untrusted external web content into the host client's context window.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Utilizes Perplexity's Sonar models for live web-grounded Q&A. The primary threat is model reprogramming or alignment bypass via adversarial web content retrieved during real-time searches.
Performs real-time RAG by fetching external web content. Highly vulnerable to data poisoning and indirect prompt injection, as untrusted third-party web pages are ingested directly into the context window.
Exposes a tool-calling interface via the Model Context Protocol (MCP). Vulnerabilities include insecure tool integration if the host client executes actions based on the injected instructions returned in the search results.
Requires local or containerized deployment as an MCP server, authenticating via a Perplexity API key. Risks include local credential exposure of the API key if the host environment is compromised.
Not certain from the listing — likely relies on the host MCP client for logging and monitoring of tool execution, with no explicit mention of built-in guardrails or injection-filtering layers.
Implements basic API-key authentication to access the Perplexity Sonar API. Lacks advanced authorization policies, relying on the user to secure the local MCP configuration.
Designed to operate within an MCP ecosystem where other agents or clients call this server. A compromise or injection in this server can cascade to other connected agents in the client workspace.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).