AgentReadyHomeAgent Listing

← julien040/anyquery

julien040/anyquery — agentic threat model

7.7AIVSS 7.7 · High

Anyquery acts as a highly sensitive data-access gateway, exposing over 40 applications and databases to SQL queries. While local-first execution limits external network exposure, the agentic risk is high due to the potential for destructive SQL execution (write/delete) and credential exposure across unified data sources.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.57Factor sum 3.6/10Threat ×1.05Mitigation ×0.85
Autonomy of Action
0.40
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.90
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.70
Multi-Agent Interactions
0.50
Non-Determinism
0.20
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Anyquery is an MCP server and SQL engine rather than a model host. The underlying LLM calling this tool is external, meaning model-level threats (adversarial reprogramming, prompt injection) depend entirely on the orchestrating agent framework.

L2 · Data Operations✓ mapped

Highly critical layer. Anyquery unifies 40+ apps and SQL databases. The primary threat is data exfiltration or unauthorized modification via SQL injection or malicious agent queries targeting connected databases (PostgreSQL, MySQL, SQLite) and integrated application data.

L3 · Agent Frameworks✓ mapped

The tool integration surface is the core risk. If an orchestrating agent is compromised or tricked, it can misuse the Anyquery MCP tool to execute arbitrary SQL queries, potentially leading to unauthorized data deletion, modification, or schema changes across connected apps.

L4 · Deployment & Infrastructure✓ mapped

Anyquery runs as a local-first single binary. This reduces cloud-hosting risks but concentrates threats on the local host. If the host is compromised, the local credentials used to connect to the 40+ apps and databases are at risk of theft.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The description does not mention built-in query logging, audit trails, or guardrails to block destructive SQL commands (e.g., DROP TABLE, DELETE) before they reach the connected databases.

L6 · Security & Compliance (cross-cutting)✓ mapped

Security relies heavily on the credentials provided to the single binary. There is no mention of granular access control, row-level security, or read-only enforcement within Anyquery itself, meaning it likely inherits the full permissions of the provided API keys/database credentials.

L7 · Agent Ecosystem✓ mapped

As an MCP server, Anyquery is designed to be called by other agents. In a multi-agent ecosystem, a compromised or untrusted agent could abuse the trust relationship to query sensitive databases through Anyquery without proper authorization.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).