datadog-mcp — agentic threat model
The datadog-mcp agent presents a high-risk profile due to its direct read/write access to critical monitoring infrastructure combined with the ingestion of untrusted log data, making it highly susceptible to indirect prompt injection that could silence alerts or disrupt operations.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.70 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the specific LLM is determined by the MCP host/client, making it vulnerable to standard prompt injection and adversarial inputs that could trigger unauthorized API calls.
The agent ingests untrusted log data and incident text from Datadog, creating a high risk of indirect prompt injection if malicious payloads are stored in logs and subsequently read by the agent.
The agent exposes powerful read/write tools for Datadog APIs. Vulnerabilities here include tool misuse, where an injected instruction or rogue plan silences critical monitors or deletes dashboards.
Not certain from the listing — deployment details depend on the host environment running the MCP server, but it requires sensitive Datadog API keys/secrets which must be securely stored and sandboxed to prevent exfiltration.
Not certain from the listing — there is no mention of built-in guardrails, evaluation suites, or output filtering to prevent destructive write actions or verify natural-language commands before execution.
The agent relies on the underlying Datadog API key permissions for authorization. If the API key has broad write access, the agent inherits those privileges without fine-grained, agent-specific policy enforcement.
As an MCP tool, this agent is designed to be plugged into broader agentic ecosystems, meaning other upstream agents can invoke it, compounding the risk of cascading failures or unauthorized actions if an upstream agent is compromised.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).