Keboola MCP Server — agentic threat model
The Keboola MCP Server exposes sensitive data warehousing, SQL execution, and component management capabilities directly to LLM agents, creating a high-impact data exfiltration and unauthorized modification surface bounded only by the connected project's scope.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the MCP server is model-agnostic and acts as an interface; however, it is highly vulnerable to indirect prompt injection where malicious data stored in Keboola buckets could hijack the executing LLM's instructions.
Directly exposes Keboola storage, bucket browsing, and SQL transformation execution. This creates a significant data exfiltration surface and risks unauthorized data modification or deletion within the connected project scope.
Exposes powerful tools for component and job management. Insecure tool integration or lack of strict input validation on SQL execution tools could allow agents to run arbitrary, destructive, or resource-intensive queries.
Not certain from the listing — the infrastructure security depends on how the MCP server is hosted and whether network-level isolation or query execution sandboxing is enforced to prevent lateral movement to other Keboola services.
Not certain from the listing — requires robust logging of all executed SQL transformations, bucket access, and job management actions to detect anomalous agent behavior, which is not detailed in the public directory.
Relies heavily on the connected Keboola project's API tokens and permissions. If the API token is over-privileged, the agent inherits full administrative control over the data platform, violating the principle of least privilege.
As an MCP server, this agent is designed to be called by other host agents or orchestrators, introducing risks of cascading failures or unauthorized data access if upstream agents are compromised.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).