AgentReadyHomeAgent Listing

← Qdrant

Qdrant — agentic threat model

8.6AIVSS 8.6 · High

Qdrant's MCP server acts as a critical semantic memory layer for other agents, making it a high-value target for indirect prompt injection and data poisoning that can compromise downstream agentic workflows.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 1.13Factor sum 4.3/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.30
Dynamic Tool Use
0.40
Persistent Memory
0.90
Contextual Awareness
0.80
Dynamic Identity
0.10
Multi-Agent Interactions
0.70
Non-Determinism
0.50
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Qdrant is a vector database MCP server and does not bundle its own foundation model, though it relies on external embedding models which are vulnerable to adversarial examples and inversion attacks.

L2 · Data Operations✓ mapped

Highly critical layer. Qdrant directly manages vector storage, retrieval, and collection management. Primary threats include data/knowledge-base poisoning, unauthorized vector insertion, and embedding inversion to reconstruct sensitive source texts.

L3 · Agent Frameworks✓ mapped

Acts as the semantic memory tool within agent frameworks. Insecure tool integration or lack of input validation on retrieved chunks can lead to indirect prompt injection when downstream agents consume poisoned vectors.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The MCP server runs locally or in a containerized environment. Threats depend on host security, network exposure of the Qdrant instance, and the handling of API keys/credentials for database access.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — Requires external monitoring of vector search relevance, latency, and anomaly detection for bulk data exfiltration or rapid injection of malicious embeddings.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Access control, authentication, and transport encryption (TLS) must be configured at the database and MCP protocol level to prevent unauthorized collection manipulation.

L7 · Agent Ecosystem✓ mapped

Directly enables multi-agent coordination by serving as a shared memory space. A compromised or rogue agent can write malicious payloads into the vector store, leading to cascading failures across all participating agents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).