AgentReadyHomeAgent Listing

← analytics-mcp-server

analytics-mcp-server — agentic threat model

4.3AIVSS 4.3 · Medium

The analytics-mcp-server presents a low-to-moderate agentic risk posture due to its local-only execution and read-only database constraints, though it remains vulnerable to SQL injection bypasses and malicious CSV imports.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.3AARS uplift 0.89Factor sum 2.1/10Threat ×0.9Mitigation ×0.7
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.00
Multi-Agent Interactions
0.10
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying LLM is not specified as this is an MCP server. The primary threat is model reprogramming or prompt injection via malicious database schemas or imported CSV content that forces the model to generate unsafe queries.

L2 · Data Operations✓ mapped

Data operations are restricted to local SQLite databases and CSV imports. The primary risk is data poisoning via untrusted CSV files, which could lead to SQL injection or downstream prompt injection when the agent reads the imported data.

L3 · Agent Frameworks✓ mapped

The framework provides schema inspection, aggregations, and guarded read-only queries. The main threat is a breakdown in the guard layer, allowing an attacker to bypass read-only restrictions or execute arbitrary SQL commands via injection.

L4 · Deployment & Infrastructure✓ mapped

Deployment is local-only, which significantly reduces the network attack surface. However, if the host environment is compromised, the SQLite database files and local CSV files are exposed to unauthorized access.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, auditing, or evaluation guardrails beyond the query guard layer. Monitoring of executed SQL queries and import actions is highly recommended.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent implements a security policy of 'guarded read-only queries' to enforce read-only access, but lacks robust identity, authentication, or authorization mechanisms of its own, relying instead on host-level permissions.

L7 · Agent Ecosystem✓ mapped

As an MCP server, it is designed to interact with an orchestrating client or agent. The threat of cascading failures exists if a compromised parent agent abuses the analytics tools to extract sensitive local data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).