Amplitude MCP Server — agentic threat model
The Amplitude MCP Server exposes sensitive product-analytics, cohort, and chart data to LLMs, presenting a moderate-to-high data exposure risk if the model is manipulated via prompt injection, though its lack of write-back capabilities limits direct destructive actions.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying LLM is not specified, but it is vulnerable to prompt injection attacks that could trick the model into extracting and exfiltrating sensitive user-behavior analytics or cohort data.
The agent connects directly to Amplitude's remote endpoints (US/EU) to query product-analytics events, cohorts, and charts. The primary threat is data exfiltration of sensitive user-behavior data through unauthorized or overly broad queries.
The agent uses the Model Context Protocol (MCP) to expose querying tools. Threats include tool misuse where an attacker manipulates the agent to run unauthorized queries or bypass intended analytical boundaries.
The agent communicates with US and EU remote endpoints. Threats include insecure transmission of API keys/tokens used to authenticate with Amplitude, and potential man-in-the-middle attacks if transport security is misconfigured.
Not certain from the listing — There is no mention of built-in guardrails, query logging, or anomaly detection to monitor if the agent is executing suspicious or excessively large data-harvesting queries.
Access control is bounded by the scope of the connected Amplitude project. However, if the project scope is too broad, the agent inherits excessive read privileges, risking compliance violations (e.g., GDPR/CCPA) regarding user-behavior data.
Not certain from the listing — If integrated into a multi-agent system, other untrusted agents could query this MCP server to harvest proprietary product metrics and user cohorts without direct human oversight.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).