Firebase MCP — agentic threat model
The Firebase MCP server presents a high-risk profile due to its direct access to production databases, user authentication, and security rules using developer credentials. Without strict human-in-the-loop guardrails, prompt injection on the orchestrating LLM could lead to catastrophic data loss or security posture degradation.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.70 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not include a foundation model, but it is designed to be called by one. Threats include prompt injection on the orchestrating LLM leading to unauthorized tool execution, such as deleting Firestore collections or disabling security rules.
The MCP server directly accesses Firestore and Realtime Database. Threats include unauthorized data exfiltration, data poisoning, or bulk deletion of production databases if the LLM is manipulated.
The MCP protocol orchestrates tool calling. Threats include insecure tool integration where the LLM invokes destructive Firebase commands (like deploying permissive security rules) without sufficient validation or human-in-the-loop confirmation.
Not certain from the listing — The deployment environment of the MCP server (local machine vs. hosted) dictates the infrastructure risk. If run locally, a compromise could expose local developer credentials and the firebase-tools configuration.
Not certain from the listing — There is no mention of built-in guardrails, logging, or anomaly detection. Without explicit observability, malicious or accidental destructive actions (e.g., wiping Auth users) may go undetected until post-incident.
Operates using the developer's active Firebase credentials. The primary threat is privilege creep and lack of fine-grained access control, as the MCP server inherits full developer permissions rather than adhering to the principle of least privilege.
Not certain from the listing — If integrated into a multi-agent system, a compromised secondary agent could exploit this MCP server to gain administrative control over the entire Firebase project.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).