AgentReadyHomeAgent Listing

← chroma-core/chroma-mcp

chroma-core/chroma-mcp — agentic threat model

8.2AIVSS 8.2 · High

This agent acts as a direct bridge to Chroma vector databases, presenting a high-risk surface for prompt injection and data poisoning since it retrieves and embeds untrusted documents directly into an LLM's context window.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 1.16Factor sum 4.4/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.10
Dynamic Tool Use
0.60
Persistent Memory
0.90
Contextual Awareness
0.80
Dynamic Identity
0.20
Multi-Agent Interactions
0.40
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not define the foundation model, but the downstream LLMs consuming retrieved documents are highly vulnerable to indirect prompt injection and adversarial reprogramming via poisoned vector embeddings.

L2 · Data Operations✓ mapped

This is the primary risk layer. The agent directly manages vector store operations (adding, embedding, and searching documents). It is highly vulnerable to data/knowledge-base poisoning, embedding inversion, and unauthorized data exfiltration if malicious documents are indexed.

L3 · Agent Frameworks✓ mapped

The agent exposes tools for document insertion and similarity search. Insecure tool integration or lack of input sanitization on the document-addition tool allows upstream agents or users to inject malicious payloads into persistent memory.

L4 · Deployment & Infrastructure✓ mapped

Connects to both local and cloud Chroma instances. Risks include exposed database credentials, lack of transport encryption (TLS) to cloud instances, and potential lateral movement if the host running the MCP server is compromised.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, content filtering, or anomaly detection to flag poisoned embeddings or suspicious similarity search queries before they reach the LLM.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The description does not detail authentication or authorization mechanisms (such as RBAC) governing who can write to or query the Chroma instances via this MCP server.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent is designed to be called by other orchestrator agents. A compromised or rogue upstream agent could abuse this tool to systematically exfiltrate the entire vector database or overwrite critical memory segments.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).