AgentReadyHomeAgent Listing

← Datadog MCP Server

Datadog MCP Server — agentic threat model

7.4AIVSS 7.4 · High

The Datadog MCP Server poses a high data exposure risk by bridging LLMs directly to production telemetry, where prompt injection could lead to unauthorized extraction of sensitive logs, traces, and API keys.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.78Factor sum 3.1/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.30
Goal-Driven Planning
0.40
Self-Modification
0.00
Dynamic Tool Use
0.60
Persistent Memory
0.10
Contextual Awareness
0.50
Dynamic Identity
0.20
Multi-Agent Interactions
0.30
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the MCP server itself is model-agnostic, but the LLM driving it is vulnerable to prompt injection which could force unauthorized log queries or data exfiltration.

L2 · Data Operations✓ mapped

High risk of data exfiltration or exposure of sensitive production telemetry (PII, secrets, and system architectures contained in logs and APM traces) pulled into the LLM context.

L3 · Agent Frameworks✓ mapped

Vulnerable to tool misuse via prompt injection, where an attacker tricks the orchestrating agent into running broad, unauthorized log searches or correlating sensitive traces.

L4 · Deployment & Infrastructure✓ mapped

Secrets management is critical; compromise of the host running this MCP server exposes Datadog API/App keys, granting broad read access to production telemetry.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — lacks explicit mention of guardrails, query rate-limiting, or audit logging of the MCP server's own actions to detect anomalous data harvesting.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies on Datadog's API key permissions for access control; lacks fine-grained user-level authorization within the MCP server itself, potentially violating least privilege.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — as an MCP server, it can be exposed to other agents in a multi-agent workflow, risking cascading data exposure if a downstream agent is compromised.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).