mcp-server-qdrant — agentic threat model
mcp-server-qdrant acts as a critical semantic memory layer, presenting risks of prompt injection via memory poisoning and credential exposure of Qdrant and embedding provider API keys.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.90 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The server relies on external pluggable embedding providers rather than hosting its own foundation models, making it susceptible to upstream model vulnerabilities and embedding drift.
Directly handles vector data operations. Highly vulnerable to data poisoning where malicious embeddings are injected into Qdrant, as well as potential data exfiltration of sensitive semantic memories.
Serves as a persistent memory tool for agent frameworks. Stored memories can act as a passive prompt-injection vector, executing indirect prompt injection when retrieved and fed into an agent's context window.
Requires hosting environment security to protect sensitive environment variables including QDRANT_URL, Qdrant API keys, and embedding provider API keys.
Not certain from the listing — No built-in observability, logging, or guardrails are mentioned beyond basic configurable search and collection limits.
Provides basic security controls through an optional read-only mode and configurable limits, but lacks advanced access control, encryption-at-rest configurations, or audit logging within the tool itself.
In a multi-agent ecosystem, sharing a Qdrant instance without strict namespace isolation can lead to cross-agent memory contamination and unauthorized lateral information disclosure.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).