AgentReadyHomeAgent Listing

← pskill9/web-search

pskill9/web-search — agentic threat model

6.9AIVSS 6.9 · Medium

This agentic tool presents a moderate risk profile primarily driven by its role as an unauthenticated gateway to external web content, making it a highly viable vector for indirect prompt injection attacks via scraped search snippets.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.1AARS uplift 0.78Factor sum 2.0/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.00
Self-Modification
0.00
Dynamic Tool Use
0.10
Persistent Memory
0.00
Contextual Awareness
0.30
Dynamic Identity
0.00
Multi-Agent Interactions
0.40
Non-Determinism
0.70
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not host or define a foundation model, but the downstream LLM consuming its scraped outputs is highly vulnerable to indirect prompt injection and adversarial data poisoning.

L2 · Data Operations✓ mapped

The tool dynamically ingests external data by scraping Google search results. This introduces a significant data provenance gap and exposes the consuming system to untrusted, potentially poisoned web content acting as an injection vector.

L3 · Agent Frameworks✓ mapped

As an MCP tool, it integrates directly into agent frameworks. Insecure tool integration could allow a calling agent to be hijacked if it executes instructions embedded within the scraped search snippets.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment of this lightweight MCP server is unspecified, though local execution without sandboxing could expose the host if the server itself is compromised or manipulated.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There are no mentioned guardrails, content filtering, or observability mechanisms to detect or sanitize malicious payloads within the scraped search results before they reach the agent.

L6 · Security & Compliance (cross-cutting)✓ mapped

The tool operates without API keys or authentication, bypassing standard access controls. This lack of identity management and reliance on scraping also presents compliance and terms-of-service (ToS) risks.

L7 · Agent Ecosystem✓ mapped

Designed for the MCP ecosystem, this tool facilitates agent-to-tool interactions where upstream agents may implicitly trust the returned snippets, leading to cascading failures or compromised decision-making across an agentic workflow.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).