AgentReadyHomeAgent Listing

← isaacwasserman/mcp-snowflake-server

isaacwasserman/mcp-snowflake-server — agentic threat model

8.6AIVSS 8.6 · High

This agentic tool poses a high security risk due to its direct integration with Snowflake data warehouses, enabling both read and optional write operations. If compromised via prompt injection or insecure orchestration, it could be abused to exfiltrate sensitive corporate data or execute destructive database commands.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.58Factor sum 3.9/10Threat ×1.0Mitigation ×0.95
Autonomy of Action
0.60
Goal-Driven Planning
0.30
Self-Modification
0.00
Dynamic Tool Use
0.70
Persistent Memory
0.20
Contextual Awareness
0.40
Dynamic Identity
0.50
Multi-Agent Interactions
0.30
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not define the foundation model, but any LLM interacting with this server is vulnerable to indirect prompt injection, which could trick the model into executing unauthorized or destructive SQL queries.

L2 · Data Operations✓ mapped

Directly interacts with Snowflake data warehouses. Primary threats include unauthorized data exfiltration of sensitive tables, schema harvesting, and data poisoning or deletion if write operations are enabled.

L3 · Agent Frameworks✓ mapped

Implements the Model Context Protocol (MCP). Vulnerable to tool misuse where an orchestrator blindly executes LLM-generated SQL queries without strict input sanitization or parameterized query enforcement.

L4 · Deployment & Infrastructure✓ mapped

Requires hosting and credential management for Snowflake access. Threats include exposure of database credentials (API keys, passwords) in environment variables and lack of network isolation between the MCP host and the database.

L5 · Evaluation & Observability✓ mapped

Features 'insight tracking', but lacks explicit details on security logging. Threats include a lack of auditability for executed SQL statements, making it difficult to detect malicious queries or data exfiltration attempts in real-time.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies heavily on external Snowflake RBAC and credential handling. If the configured Snowflake user has excessive privileges, the agent inherits them, potentially violating least-privilege access and compliance standards (e.g., GDPR, HIPAA).

L7 · Agent Ecosystem✓ mapped

As an MCP server, it is designed to be called by other agents. A compromised or rogue agent in a multi-agent ecosystem could abuse this tool to query or modify database state, leading to cascading trust failures.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).