AgentReadyHomeAgent Listing

← Firebase MCP

Firebase MCP — agentic threat model

9.9AIVSS 9.9 · Critical

The Firebase MCP server presents a high-risk profile due to its direct access to production databases, user authentication, and security rules using developer credentials. Without strict human-in-the-loop guardrails, prompt injection on the orchestrating LLM could lead to catastrophic data loss or security posture degradation.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.08Factor sum 3.8/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.20
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.70
Multi-Agent Interactions
0.20
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not include a foundation model, but it is designed to be called by one. Threats include prompt injection on the orchestrating LLM leading to unauthorized tool execution, such as deleting Firestore collections or disabling security rules.

L2 · Data Operations✓ mapped

The MCP server directly accesses Firestore and Realtime Database. Threats include unauthorized data exfiltration, data poisoning, or bulk deletion of production databases if the LLM is manipulated.

L3 · Agent Frameworks✓ mapped

The MCP protocol orchestrates tool calling. Threats include insecure tool integration where the LLM invokes destructive Firebase commands (like deploying permissive security rules) without sufficient validation or human-in-the-loop confirmation.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment of the MCP server (local machine vs. hosted) dictates the infrastructure risk. If run locally, a compromise could expose local developer credentials and the firebase-tools configuration.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, logging, or anomaly detection. Without explicit observability, malicious or accidental destructive actions (e.g., wiping Auth users) may go undetected until post-incident.

L6 · Security & Compliance (cross-cutting)✓ mapped

Operates using the developer's active Firebase credentials. The primary threat is privilege creep and lack of fine-grained access control, as the MCP server inherits full developer permissions rather than adhering to the principle of least privilege.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — If integrated into a multi-agent system, a compromised secondary agent could exploit this MCP server to gain administrative control over the entire Firebase project.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).