AgentReadyHomeAgent Listing

← MotherDuck

MotherDuck — agentic threat model

9.3AIVSS 9.3 · Critical

The MotherDuck MCP server presents a high-risk data-access surface due to its ability to execute arbitrary read/write SQL queries on local and cloud data warehouses using stored credentials, making it highly vulnerable to prompt injection and unauthorized data exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.77Factor sum 4.9/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.30
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.40
Contextual Awareness
0.50
Dynamic Identity
0.60
Multi-Agent Interactions
0.70
Non-Determinism
0.40
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation model is not specified as this is an MCP server; however, the model driving the agent is vulnerable to prompt injection that could craft malicious SQL queries.

L2 · Data Operations✓ mapped

Directly interfaces with local DuckDB and cloud MotherDuck databases. High risk of data exfiltration, unauthorized data modification, and SQL injection via natural-language-to-SQL translation.

L3 · Agent Frameworks✓ mapped

Exposes powerful database execution tools to the agent framework. Insecure tool integration could allow an orchestrator or malicious prompt to execute destructive SQL commands (e.g., DROP TABLE, write operations).

L4 · Deployment & Infrastructure✓ mapped

Carries a MotherDuck authentication token and accesses local files. Compromise of the host running the MCP server could lead to token theft and unauthorized local file system access via DuckDB.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of query logging, SQL validation guardrails, or anomaly detection to monitor and restrict the generated database queries.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies on a MotherDuck token for access control, but lacks granular, user-level authorization within the MCP server itself, potentially granting the LLM full write access to the data warehouse.

L7 · Agent Ecosystem✓ mapped

Designed as an MCP server to be called by other agents. This introduces agent-to-agent trust abuse risks, where a compromised or rogue upstream agent can abuse this tool to exfiltrate warehouse data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).