AgentReadyHomeAgent Listing

← MySQL MCP (kevinwatt)

MySQL MCP (kevinwatt) — agentic threat model

9.1AIVSS 9.1 · Critical

This agent exposes direct database execution capabilities, presenting a high-risk profile due to the potential for SQL injection, unauthorized data exfiltration, or destructive write operations if the underlying model executes untrusted SQL.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.6Factor sum 3.8/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.40
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.50
Multi-Agent Interactions
0.20
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the agent relies on an external LLM via the Model Context Protocol (MCP). The primary threat is model reprogramming or prompt injection leading the foundation model to generate malicious SQL queries (e.g., DROP TABLE or data exfiltration payloads) instead of benign analytical queries.

L2 · Data Operations✓ mapped

The agent directly interacts with a MySQL database as its primary data store. Threats include unauthorized data exfiltration of sensitive database records, data poisoning via malicious SQL writes, and lack of data lineage tracking for executed queries.

L3 · Agent Frameworks✓ mapped

The agent framework exposes powerful tools for schema introspection and raw SQL execution. The primary threat is insecure tool integration, where the framework fails to sanitize or validate model-generated SQL before executing it against the database.

L4 · Deployment & Infrastructure✓ mapped

The agent holds database connection credentials. Threats include credential theft from the hosting environment, lack of network isolation between the MCP server and the database, and privilege escalation if the database user has excessive administrative permissions.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in query logging, guardrails, or anomaly detection to flag suspicious SQL execution patterns or massive data transfers.

L6 · Security & Compliance (cross-cutting)✓ mapped

The security surface relies heavily on external configuration. A lack of strict database-level access controls (e.g., not enforcing read-only users) and missing audit trails for model-initiated queries pose significant compliance and authorization risks.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent can be orchestrated by other agents. The threat is cascading failures or trust abuse, where a compromised upstream agent uses this tool to silently extract or corrupt database contents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).