ClickHouse — agentic threat model
This ClickHouse MCP server exposes high-performance analytical database access to LLMs, presenting significant data exfiltration and resource exhaustion risks if query limits and read-only scopes are not strictly enforced.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not specify the underlying foundation model, but it is vulnerable to indirect prompt injection where malicious data stored in ClickHouse tables could hijack the LLM's reasoning during schema inspection or query execution.
Directly handles structured analytical data. Risks include data exfiltration of large datasets via SQL queries and potential exposure of sensitive database schemas to unauthorized users if access controls are misconfigured.
Exposes powerful SQL execution and schema inspection tools. Vulnerable to SQL injection, unsafe query construction by the LLM, and resource exhaustion (DoS) on the ClickHouse cluster through poorly optimized analytical queries.
Relies on database credentials to connect to the ClickHouse cluster. Risks include insecure storage of these credentials, lack of network segmentation between the MCP server and the database, and potential lateral movement if the database host is compromised.
Not certain from the listing — The description mentions query limits as a safeguard, but it is unclear if there is active logging, anomaly detection, or query cost estimation to block malicious or runaway analytical queries before execution.
Emphasizes read-only scoping and credentialed access as primary safeguards. Compliance risks arise if the database contains PII/PHI and lacks column-level encryption or row-level security policies mapping to the agent's identity.
Not certain from the listing — If integrated into a multi-agent system, other untrusted agents could exploit this MCP server to run arbitrary analytical queries, cascading data exposure risks across the entire ecosystem.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).