AgentReadyHomeAgent Listing

← mcp-server-qdrant

mcp-server-qdrant — agentic threat model

7.0AIVSS 7.0 · High

mcp-server-qdrant acts as a critical semantic memory layer, presenting risks of prompt injection via memory poisoning and credential exposure of Qdrant and embedding provider API keys.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.3AARS uplift 0.89Factor sum 3.3/10Threat ×1.0Mitigation ×0.85
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.20
Dynamic Tool Use
0.20
Persistent Memory
0.90
Contextual Awareness
0.50
Dynamic Identity
0.30
Multi-Agent Interactions
0.40
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The server relies on external pluggable embedding providers rather than hosting its own foundation models, making it susceptible to upstream model vulnerabilities and embedding drift.

L2 · Data Operations✓ mapped

Directly handles vector data operations. Highly vulnerable to data poisoning where malicious embeddings are injected into Qdrant, as well as potential data exfiltration of sensitive semantic memories.

L3 · Agent Frameworks✓ mapped

Serves as a persistent memory tool for agent frameworks. Stored memories can act as a passive prompt-injection vector, executing indirect prompt injection when retrieved and fed into an agent's context window.

L4 · Deployment & Infrastructure✓ mapped

Requires hosting environment security to protect sensitive environment variables including QDRANT_URL, Qdrant API keys, and embedding provider API keys.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in observability, logging, or guardrails are mentioned beyond basic configurable search and collection limits.

L6 · Security & Compliance (cross-cutting)✓ mapped

Provides basic security controls through an optional read-only mode and configurable limits, but lacks advanced access control, encryption-at-rest configurations, or audit logging within the tool itself.

L7 · Agent Ecosystem✓ mapped

In a multi-agent ecosystem, sharing a Qdrant instance without strict namespace isolation can lead to cross-agent memory contamination and unauthorized lateral information disclosure.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).