AgentReadyHomeAgent Listing

← Perplexity Ask MCP (Sonar)

Perplexity Ask MCP (Sonar) — agentic threat model

7.2AIVSS 7.2 · High

This agent acts as a bridge between MCP clients and the Perplexity Sonar API, introducing risks of indirect prompt injection from untrusted web content and API key exposure, though its direct action execution capabilities are limited.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.1AARS uplift 1.47Factor sum 3.6/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.20
Goal-Driven Planning
0.30
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.80
Dynamic Identity
0.20
Multi-Agent Interactions
0.50
Non-Determinism
0.70
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Utilizes Perplexity's Sonar reasoning and deep-research models. Vulnerable to prompt injection and adversarial manipulation via the web-grounded text it retrieves and synthesizes.

L2 · Data Operations✓ mapped

Performs real-time web search and RAG. Highly vulnerable to data poisoning and indirect prompt injection from malicious web pages indexed during live queries.

L3 · Agent Frameworks✓ mapped

Exposes MCP tools (perplexity_ask and variants) to client frameworks. Risks include tool misuse where client agents over-rely on untrusted search results or pass malicious parameters.

L4 · Deployment & Infrastructure✓ mapped

Requires hosting as an MCP server. Holds a sensitive Perplexity API key and is vulnerable to credential theft or credit exhaustion if the hosting environment or client is compromised.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No explicit logging, guardrails, or observability features are mentioned for monitoring query content, API spend, or injection attempts.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Lacks details on access control, rate limiting, or policy enforcement mechanisms to prevent unauthorized clients from abusing the MCP server.

L7 · Agent Ecosystem✓ mapped

Designed as a drop-in tool for any MCP client. This creates a multi-agent trust boundary risk where upstream agents consume potentially poisoned search summaries without validation.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).