AgentReadyHomeAgent Listing

← Metabase MCP Server

Metabase MCP Server — agentic threat model

8.6AIVSS 8.6 · High

The Metabase MCP Server exposes sensitive business intelligence dashboards and underlying database query execution to LLMs, presenting a high-risk vector for unauthorized data exfiltration and SQL injection if the agent is manipulated.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.57Factor sum 3.6/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.40
Goal-Driven Planning
0.30
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.10
Contextual Awareness
0.50
Dynamic Identity
0.60
Multi-Agent Interactions
0.20
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server relies on external LLMs. The primary threat is prompt injection or adversarial manipulation of the model to execute unauthorized database queries or bypass intended query constraints.

L2 · Data Operations✓ mapped

The agent directly accesses Metabase dashboards, cards, and connected databases. This creates a high risk of data exfiltration, unauthorized data access, and potential database poisoning if write-back queries are permitted.

L3 · Agent Frameworks✓ mapped

The server exposes tools for running queries and executing questions. Insecure tool integration or lack of input sanitization on the generated SQL/JSON queries could lead to direct database exploitation.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment of the MCP server must securely manage Metabase API credentials. Compromise of the server hosting this MCP would expose these credentials and database network paths.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of query logging, guardrails, or anomaly detection to monitor whether the LLM is executing anomalous or malicious database queries.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent authenticates using Metabase credentials. Security depends heavily on the principle of least privilege applied to these credentials, as the agent inherits the permissions of the authenticated Metabase user.

L7 · Agent Ecosystem✓ mapped

As an MCP server, this agent is designed to be called by other host agents. This introduces cascading risks where a compromised orchestrator agent can abuse this server to extract sensitive corporate BI data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).