Slack MCP — agentic threat model
The Slack MCP agent presents a high-risk profile due to its broad read/write access to workspace communications, making it a prime target for indirect prompt injection and unauthorized data exfiltration.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing describes a Slack connector (MCP tool) rather than the underlying foundation model itself. However, the model interacting with this tool is highly susceptible to indirect prompt injection via Slack messages read from channels.
The agent reads workspace history, channels, and user data. Threats include data exfiltration of sensitive Slack history and exposure to poisoned data or prompt injections embedded in Slack messages.
The connector exposes powerful tools (post, reply, search, list). Insecure tool integration or lack of strict input validation could allow an orchestrating framework to abuse these tools, leading to mass spamming or unauthorized data harvesting.
Not certain from the listing — The hosting environment, secret management for Slack workspace tokens, and sandboxing of the MCP server are not detailed in the listing.
Not certain from the listing — There is no mention of built-in logging, audit trails, or guardrails to monitor the agent's Slack interactions or detect anomalous search/post patterns.
The agent uses workspace tokens that can span many channels. Token scoping is critical, and the listing notes that 'confirmation on posts matter,' implying a lack of built-in enforcement of authorization policies or human-in-the-loop confirmation.
The agent operates in a multi-user/multi-agent Slack workspace. It is vulnerable to A2A trust abuse where other automated bots or compromised users trigger the agent via channel messages.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).