AgentReadyHomeAgent Listing

← furey/mongodb-lens

furey/mongodb-lens — agentic threat model

9.2AIVSS 9.2 · Critical

This agent exposes broad, potentially destructive database operations (CRUD, queries, and collection inspection) directly to LLMs via the Model Context Protocol. Its primary risk is the lack of built-in sandboxing or access controls, making it a high-impact vector for data exfiltration or destruction if the orchestrating model is compromised.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.66Factor sum 4.2/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.40
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.70
Multi-Agent Interactions
0.30
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent is an MCP server and does not bundle a specific foundation model. However, it is highly vulnerable to L1 adversarial prompt injection or jailbreaks on the host client model, which could force the agent to execute destructive database queries.

L2 · Data Operations✓ mapped

Directly interacts with MongoDB databases. Threats include unauthorized data exfiltration of sensitive collections, database poisoning via malicious document insertion, and lack of data lineage tracking for LLM-generated writes.

L3 · Agent Frameworks✓ mapped

Exposes powerful database tools (CRUD, aggregation, inspection) to the orchestrating framework. Insecure tool integration or lack of input sanitization on the query/aggregation parameters could allow NoSQL injection or arbitrary database command execution.

L4 · Deployment & Infrastructure✓ mapped

Requires connection-string credentials to access MongoDB. If these credentials are not securely stored or injected, they risk exposure. There is no mention of network sandboxing to restrict which database hosts the MCP server can connect to.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The description does not mention built-in logging, auditing of executed queries, or guardrails to prevent massive data deletion or exfiltration commands before they reach the database.

L6 · Security & Compliance (cross-cutting)✓ mapped

Lacks native authentication and authorization controls. It relies entirely on the underlying MongoDB connection string's permissions, meaning it lacks fine-grained, user-level policy enforcement or compliance auditing.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, it can be called by other agents in a multi-agent ecosystem. This introduces cascading risks where a compromised upstream agent could abuse this tool to drop collections or exfiltrate database contents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).