AgentReadyHomeAgent Listing

← databricks-mcp

databricks-mcp — agentic threat model

4.7AIVSS 4.7 · Medium

The databricks-mcp agent presents a low-to-moderate risk profile due to its strictly read-only SQL design and configurable row limits, though it remains vulnerable to data exfiltration of sensitive warehouse contents if prompted maliciously.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.3AARS uplift 1.03Factor sum 2.3/10Threat ×0.95Mitigation ×0.75
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.20
Multi-Agent Interactions
0.10
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the agent relies on external LLMs via the Model Context Protocol (MCP) to generate SQL queries, making it susceptible to prompt injection that could craft malicious read-only queries to bypass intended schema boundaries.

L2 · Data Operations✓ mapped

Directly interfaces with Databricks SQL warehouses. While mutation risk is mitigated by read-only access, the primary threat is unauthorized data exploration, profiling, and exfiltration of sensitive database records via injected SQL commands.

L3 · Agent Frameworks✓ mapped

Exposes tool definitions for SQL querying and data profiling. Vulnerabilities include insecure tool integration if the hosting MCP client fails to sanitize inputs before passing them to the Databricks SQL execution tool.

L4 · Deployment & Infrastructure✓ mapped

Requires hosting with access to a DATABRICKS_TOKEN and HTTP path. Compromise of the hosting environment or MCP server process would expose these high-value secrets, granting direct warehouse access to attackers.

L5 · Evaluation & Observability✓ mapped

Features a configurable MAX_ROWS cap as a runtime guardrail to limit exfiltration volume. However, there is no mention of query-level anomaly detection, rate limiting, or audit logging of executed SQL statements.

L6 · Security & Compliance (cross-cutting)✓ mapped

Enforces token-based warehouse authentication and read-only access controls. However, it lacks fine-grained user-level authorization mapping, meaning any user interacting with the agent inherits the permissions of the underlying DATABRICKS_TOKEN.

L7 · Agent Ecosystem✓ mapped

Designed as an MCP tool to be called by other orchestrators or agents. This introduces cascading risks where a compromised upstream agent could abuse this tool to systematically harvest data from the Databricks warehouse.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).