AgentReadyHomeAgent Listing

← readonly-db-mcp

readonly-db-mcp — agentic threat model

4.0AIVSS 4.0 · Medium

The readonly-db-mcp agent presents a low-to-moderate agentic risk posture because its capabilities are strictly constrained to read-only database operations with three-layer write protection, though it does handle sensitive database credentials.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.3AARS uplift 0.89Factor sum 2.0/10Threat ×0.95Mitigation ×0.65
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.20
Multi-Agent Interactions
0.10
Non-Determinism
0.20
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent acts as an MCP tool server and does not bundle its own foundation model. It is susceptible to downstream prompt injection attacks that could attempt to bypass SQL generation constraints.

L2 · Data Operations✓ mapped

The agent directly queries live MySQL databases. While write-protected, it exposes sensitive schema structures and table data, making it a target for unauthorized data exfiltration or inference attacks via read-only SQL queries.

L3 · Agent Frameworks✓ mapped

Focuses on secure tool integration by enforcing three layers of write protection on SQL execution. However, vulnerabilities in the parsing logic or framework orchestration could still lead to unexpected query execution paths.

L4 · Deployment & Infrastructure✓ mapped

The agent stores database host, user, and password credentials. If the hosting environment or MCP server process is compromised, these credentials could be leaked, allowing direct database access bypassing the agent's read-only controls.

L5 · Evaluation & Observability✓ mapped

Includes optional audit logging to record executed queries, which mitigates observability blind spots and helps detect malicious or anomalous query patterns generated by the calling agent.

L6 · Security & Compliance (cross-cutting)✓ mapped

Provides strong compliance controls through an optional gated mode (requiring explicit approval for actions) and explicit three-layer write protection to enforce read-only data access policies.

L7 · Agent Ecosystem✓ mapped

Designed to be called by other agents within an MCP ecosystem. A compromised orchestrator agent could abuse this tool to systematically map and exfiltrate the entire database schema and contents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).