influx-mcp — agentic threat model
influx-mcp presents a high-risk profile due to its ability to execute arbitrary Flux queries over sensitive Home Assistant telemetry, making it highly vulnerable to prompt injection that could expose private household patterns.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is not specified, but it is highly susceptible to indirect prompt injection via malicious sensor data stored in InfluxDB, which could reprogram the model's behavior during query execution.
The agent directly queries InfluxDB 2.x time-series databases. The primary threat is data exfiltration of sensitive IoT/Home Assistant telemetry and potential data poisoning if malicious actors can write crafted states to sensors that the agent later reads.
The agent framework exposes highly sensitive tools, specifically arbitrary Flux query execution. This creates a severe tool misuse vulnerability where an LLM can be manipulated into executing destructive or unauthorized database queries.
The agent holds an InfluxDB access token. If the hosting environment (e.g., Home Assistant supervisor or local container) is compromised, this token can be exfiltrated, leading to direct database access outside the agent's boundaries.
Not certain from the listing — There is no mention of built-in guardrails, query validation, or logging mechanisms to detect and block malicious Flux queries or anomalous data exfiltration patterns.
The agent lacks fine-grained authorization controls; any agent or user with access to the MCP server inherits the full permissions of the underlying InfluxDB token, violating the principle of least privilege.
As an MCP server, this agent is designed to be called by other orchestrator agents. This introduces cascading risks where a compromised upstream agent can abuse influx-mcp to scan the entire local network's historical telemetry.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).