AgentReadyHomeAgent Listing

← Amplitude MCP Server

Amplitude MCP Server — agentic threat model

6.7AIVSS 6.7 · Medium

The Amplitude MCP Server exposes sensitive product-analytics, cohort, and chart data to LLMs, presenting a moderate-to-high data exposure risk if the model is manipulated via prompt injection, though its lack of write-back capabilities limits direct destructive actions.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.99Factor sum 2.7/10Threat ×1.05Mitigation ×0.9
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.60
Persistent Memory
0.10
Contextual Awareness
0.50
Dynamic Identity
0.20
Multi-Agent Interactions
0.10
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying LLM is not specified, but it is vulnerable to prompt injection attacks that could trick the model into extracting and exfiltrating sensitive user-behavior analytics or cohort data.

L2 · Data Operations✓ mapped

The agent connects directly to Amplitude's remote endpoints (US/EU) to query product-analytics events, cohorts, and charts. The primary threat is data exfiltration of sensitive user-behavior data through unauthorized or overly broad queries.

L3 · Agent Frameworks✓ mapped

The agent uses the Model Context Protocol (MCP) to expose querying tools. Threats include tool misuse where an attacker manipulates the agent to run unauthorized queries or bypass intended analytical boundaries.

L4 · Deployment & Infrastructure✓ mapped

The agent communicates with US and EU remote endpoints. Threats include insecure transmission of API keys/tokens used to authenticate with Amplitude, and potential man-in-the-middle attacks if transport security is misconfigured.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, query logging, or anomaly detection to monitor if the agent is executing suspicious or excessively large data-harvesting queries.

L6 · Security & Compliance (cross-cutting)✓ mapped

Access control is bounded by the scope of the connected Amplitude project. However, if the project scope is too broad, the agent inherits excessive read privileges, risking compliance violations (e.g., GDPR/CCPA) regarding user-behavior data.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — If integrated into a multi-agent system, other untrusted agents could query this MCP server to harvest proprietary product metrics and user cohorts without direct human oversight.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).