AgentReadyHomeAgent Listing

← Qdrant Search MCP

Qdrant Search MCP — agentic threat model

7.2AIVSS 7.2 · High

The Qdrant Search MCP agent presents a moderate-risk profile primarily centered on data exposure, as it acts as a semantic bridge to proprietary codebases and vector databases without native execution or autonomous action capabilities. Its primary risk is unauthorized data retrieval or prompt injection leading to source code exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.67Factor sum 1.9/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.10
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.20
Contextual Awareness
0.40
Dynamic Identity
0.10
Multi-Agent Interactions
0.10
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent relies on an external LLM via the Model Context Protocol (MCP) to formulate queries and interpret snippets. It is susceptible to prompt injection designed to bypass retrieval constraints or leak system instructions, though the model itself is hosted externally.

L2 · Data Operations✓ mapped

The core risk layer. The agent connects directly to a Qdrant vector database containing indexed source code. Threats include embedding inversion, unauthorized semantic retrieval of proprietary logic, and potential data poisoning if malicious code is indexed and subsequently retrieved to influence developer decisions.

L3 · Agent Frameworks✓ mapped

The agent uses the Model Context Protocol (MCP) to expose semantic search tools. Vulnerabilities in the tool-calling schema or insecure integration could allow an attacker to manipulate query parameters or extract connection details to the underlying Qdrant instance.

L4 · Deployment & Infrastructure✓ mapped

The server hosts connection credentials for the Qdrant database. If the deployment environment is not sandboxed, an attacker exploiting the MCP host could compromise these credentials, leading to direct database access and lateral movement within the network.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, query auditing, or guardrails to detect anomalous search patterns, semantic data exfiltration attempts, or prompt injection attacks targeting the search interface.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The description does not detail any authentication or authorization mechanisms to restrict which users or client applications can query the indexed codebases, posing a compliance risk for proprietary IP.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent is designed to be called by other orchestrators or agents. This introduces risks of cascading trust abuse, where a compromised upstream agent could programmatically exfiltrate the entire codebase via semantic queries.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).