Zhipu Web Search MCP — agentic threat model
The Zhipu Web Search MCP presents a moderate risk profile, primarily acting as a vector for indirect prompt injection via untrusted web content and financial exposure through API key theft.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.60 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
The underlying foundation model (Zhipu BigModel) is susceptible to indirect prompt injection payloads embedded in retrieved web content, which can reprogram downstream model behavior.
Data operations rely on real-time web scraping and ranking. Threats include data poisoning via SEO manipulation or malicious web pages designed to feed toxic or misleading grounding data to the agent.
As an MCP tool, insecure integration into agent frameworks could allow malicious actors to craft queries that exploit the calling framework or trigger unintended tool execution paths.
The deployment relies on a Zhipu API key. Compromise of this key leads to direct financial theft via credit exhaustion on the user's BigModel account.
Not certain from the listing — there is no mention of built-in guardrails, content filtering, or logging mechanisms to detect and block malicious search payloads before they reach the model.
Not certain from the listing — the directory does not specify authorization policies, access controls for the API key, or compliance certifications for data handling.
Designed for the MCP ecosystem, this tool introduces cascading risks where a compromised or malicious agent can abuse the search tool to exfiltrate data or inject payloads into other connected agents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).