chroma-core/chroma-mcp — agentic threat model
This agent acts as a direct bridge to Chroma vector databases, presenting a high-risk surface for prompt injection and data poisoning since it retrieves and embeds untrusted documents directly into an LLM's context window.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.90 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not define the foundation model, but the downstream LLMs consuming retrieved documents are highly vulnerable to indirect prompt injection and adversarial reprogramming via poisoned vector embeddings.
This is the primary risk layer. The agent directly manages vector store operations (adding, embedding, and searching documents). It is highly vulnerable to data/knowledge-base poisoning, embedding inversion, and unauthorized data exfiltration if malicious documents are indexed.
The agent exposes tools for document insertion and similarity search. Insecure tool integration or lack of input sanitization on the document-addition tool allows upstream agents or users to inject malicious payloads into persistent memory.
Connects to both local and cloud Chroma instances. Risks include exposed database credentials, lack of transport encryption (TLS) to cloud instances, and potential lateral movement if the host running the MCP server is compromised.
Not certain from the listing — There is no mention of built-in guardrails, content filtering, or anomaly detection to flag poisoned embeddings or suspicious similarity search queries before they reach the LLM.
Not certain from the listing — The description does not detail authentication or authorization mechanisms (such as RBAC) governing who can write to or query the Chroma instances via this MCP server.
As an MCP tool, this agent is designed to be called by other orchestrator agents. A compromised or rogue upstream agent could abuse this tool to systematically exfiltrate the entire vector database or overwrite critical memory segments.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).