AgentReadyHomeAgent Listing

← Web Scout MCP

Web Scout MCP — agentic threat model

7.7AIVSS 7.7 · High

Web Scout MCP presents a high indirect prompt injection risk due to its core function of fetching untrusted web content directly into an agent's context. Its lack of built-in input sanitization or content filtering means security relies entirely on the host agent's architecture.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.65Factor sum 2.6/10Threat ×1.0Mitigation ×0.95
Autonomy of Action
0.30
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.00
Contextual Awareness
0.50
Dynamic Identity
0.00
Multi-Agent Interactions
0.60
Non-Determinism
0.50
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Web Scout is an MCP tool that feeds retrieved text into an external foundation model. The primary L1 threat is indirect prompt injection via the fetched untrusted web content, which can reprogram the host model.

L2 · Data Operations✓ mapped

The tool performs real-time data retrieval (web scraping/search) without a persistent vector database. The main threat is data poisoning/untrusted input ingestion from arbitrary remote pages, acting as a vector for indirect prompt injection.

L3 · Agent Frameworks✓ mapped

Built as an MCP tool, the framework risk involves insecure tool integration where the orchestrating agent blindly trusts the extracted text. Lack of input sanitization before passing text to the model context is a key vulnerability.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment (sandboxing, network egress controls) is not specified. If run without network isolation, fetching arbitrary URLs could lead to SSRF (Server-Side Request Forgery) or local network scanning.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, content filtering, or observability logging to detect prompt injection or malicious payloads in the retrieved web text.

L6 · Security & Compliance (cross-cutting)✓ mapped

As a free, open-source MCP tool, there are no built-in compliance frameworks, access controls, or audit logs mentioned. Security relies entirely on the host application's implementation.

L7 · Agent Ecosystem✓ mapped

Designed specifically for multi-agent or agent-to-tool ecosystems (MCP). A compromised or manipulated Web Scout tool can feed malicious payloads to downstream agents, causing cascading failures or unauthorized actions across the agent ecosystem.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).