Perplexity Ask MCP (Sonar) — agentic threat model
This agent acts as a bridge between MCP clients and the Perplexity Sonar API, introducing risks of indirect prompt injection from untrusted web content and API key exposure, though its direct action execution capabilities are limited.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Utilizes Perplexity's Sonar reasoning and deep-research models. Vulnerable to prompt injection and adversarial manipulation via the web-grounded text it retrieves and synthesizes.
Performs real-time web search and RAG. Highly vulnerable to data poisoning and indirect prompt injection from malicious web pages indexed during live queries.
Exposes MCP tools (perplexity_ask and variants) to client frameworks. Risks include tool misuse where client agents over-rely on untrusted search results or pass malicious parameters.
Requires hosting as an MCP server. Holds a sensitive Perplexity API key and is vulnerable to credential theft or credit exhaustion if the hosting environment or client is compromised.
Not certain from the listing — No explicit logging, guardrails, or observability features are mentioned for monitoring query content, API spend, or injection attempts.
Not certain from the listing — Lacks details on access control, rate limiting, or policy enforcement mechanisms to prevent unauthorized clients from abusing the MCP server.
Designed as a drop-in tool for any MCP client. This creates a multi-agent trust boundary risk where upstream agents consume potentially poisoned search summaries without validation.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).