readonly-db-mcp — agentic threat model
The readonly-db-mcp agent presents a low-to-moderate agentic risk posture because its capabilities are strictly constrained to read-only database operations with three-layer write protection, though it does handle sensitive database credentials.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent acts as an MCP tool server and does not bundle its own foundation model. It is susceptible to downstream prompt injection attacks that could attempt to bypass SQL generation constraints.
The agent directly queries live MySQL databases. While write-protected, it exposes sensitive schema structures and table data, making it a target for unauthorized data exfiltration or inference attacks via read-only SQL queries.
Focuses on secure tool integration by enforcing three layers of write protection on SQL execution. However, vulnerabilities in the parsing logic or framework orchestration could still lead to unexpected query execution paths.
The agent stores database host, user, and password credentials. If the hosting environment or MCP server process is compromised, these credentials could be leaked, allowing direct database access bypassing the agent's read-only controls.
Includes optional audit logging to record executed queries, which mitigates observability blind spots and helps detect malicious or anomalous query patterns generated by the calling agent.
Provides strong compliance controls through an optional gated mode (requiring explicit approval for actions) and explicit three-layer write protection to enforce read-only data access policies.
Designed to be called by other agents within an MCP ecosystem. A compromised orchestrator agent could abuse this tool to systematically map and exfiltrate the entire database schema and contents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).