AgentReadyHomeAgent Listing

← Couchbase

Couchbase — agentic threat model

8.2AIVSS 8.2 · High

The Couchbase MCP server exposes high-value database clusters to agentic tool-calling, introducing significant risk of unauthorized data manipulation or exfiltration if the orchestrating agent is compromised. Because it acts as a direct bridge to database storage engines, its security posture is heavily dependent on the underlying cluster credential permissions.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.66Factor sum 4.2/10Threat ×1.05Mitigation ×0.9
Autonomy of Action
0.60
Goal-Driven Planning
0.30
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.40
Dynamic Identity
0.70
Multi-Agent Interactions
0.20
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The Couchbase MCP server is model-agnostic and does not include a built-in foundation model; model-level threats like adversarial prompt injection depend entirely on the external orchestrating LLM.

L2 · Data Operations✓ mapped

Directly exposes Couchbase bucket data via N1QL/SQL++ and key-value operations. This creates a high risk of data exfiltration, unauthorized modification, or database poisoning if malicious inputs bypass the orchestrating agent's sanitization.

L3 · Agent Frameworks✓ mapped

Exposes powerful database manipulation tools to agent frameworks. Insecure tool integration or lack of strict input validation on N1QL queries could allow SQL-injection-style attacks or unintended bulk document deletions.

L4 · Deployment & Infrastructure✓ mapped

Requires hosting within an environment that has network access to both the LLM client and the Couchbase cluster. Compromise of this layer could expose sensitive cluster credentials used for authentication.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The description does not specify built-in logging, query auditing, or guardrails to monitor and block anomalous database operations executed by the MCP server.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies on cluster credential authentication to enforce access controls. Security compliance depends on applying the principle of least privilege to these credentials, limiting the agent's scope to specific buckets and read/write operations.

L7 · Agent Ecosystem✓ mapped

As an MCP server, it is designed to be consumed by other agents. This introduces cascading risks if a compromised upstream agent or malicious multi-agent workflow gains access to the database tools.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).