AgentReadyHomeAgent Listing

← Resend (Klavis)

Resend (Klavis) — agentic threat model

8.4AIVSS 8.4 · High

This agent acts as an MCP server bridging LLMs to the Resend email API, presenting a high-risk vector for automated spam, phishing, and data exfiltration if the underlying API key is not strictly scoped and monitored.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.87Factor sum 3.3/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.70
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.40
Multi-Agent Interactions
0.20
Non-Determinism
0.50
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent relies on external LLMs via the Model Context Protocol (MCP). If the upstream model is susceptible to prompt injection, an attacker can hijack the model to draft and send unauthorized phishing emails.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The tool itself does not specify a vector database or RAG pipeline, but any data passed into the email context could be subject to exfiltration or leakage if sensitive information is processed.

L3 · Agent Frameworks✓ mapped

The agent exposes a direct tool interface to send emails via Resend. The primary threat is tool misuse, where an orchestrating framework or malicious prompt triggers the tool to send spam or exfiltrate system data to external inboxes.

L4 · Deployment & Infrastructure✓ mapped

The MCP server requires local or cloud hosting and holds a Resend API key. Insecure storage of this API key or lack of network isolation could allow unauthorized local processes to abuse the email-sending capability.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There are no mentioned logging, rate-limiting, or guardrail mechanisms to detect or block anomalous email volumes or suspicious content before transmission.

L6 · Security & Compliance (cross-cutting)✓ mapped

Authentication relies solely on a Resend API key. There is no built-in authorization policy or human-in-the-loop (HITL) confirmation mechanism described to restrict who or what can trigger an email send.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent is designed to be called by other agents. In a multi-agent ecosystem, a compromised or rogue planning agent could leverage this tool to propagate attacks or send spam horizontally across the network.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).