AgentReadyHomeAgent Listing

← sqlens-mcp

sqlens-mcp — agentic threat model

6.3AIVSS 6.3 · Medium

sqlens-mcp presents a moderate security risk primarily centered on data exfiltration and credential exposure. While restricted to a read-only surface (SELECT/EXPLAIN), prompt injection can still be leveraged to scrape sensitive database schemas and records via the exposed DEVDB_URL connection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.8AARS uplift 0.64Factor sum 2.0/10Threat ×1.0Mitigation ×0.85
Autonomy of Action
0.40
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.50
Persistent Memory
0.00
Contextual Awareness
0.20
Dynamic Identity
0.10
Multi-Agent Interactions
0.10
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not specify the underlying LLM used, but any model driving this tool is vulnerable to prompt injection that could craft malicious SELECT queries to exfiltrate sensitive database records.

L2 · Data Operations✓ mapped

The agent directly queries local development databases (Postgres, MySQL, SQLite) via a single DEVDB_URL. The primary threat is unauthorized data exfiltration/scraping of sensitive development or seeded production data through the read path.

L3 · Agent Frameworks✓ mapped

Implements the Model Context Protocol (MCP) to expose database inspection tools. Vulnerable to tool misuse where an LLM is manipulated into executing resource-intensive queries (DoS) or extracting schema metadata to map the network.

L4 · Deployment & Infrastructure✓ mapped

Configured via a single DEVDB_URL environment variable containing database credentials. If the hosting environment or MCP server is compromised, these credentials can be stolen, leading to direct database access.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of query logging, guardrails, or anomaly detection to flag suspicious or overly broad SELECT queries before they execute.

L6 · Security & Compliance (cross-cutting)✓ mapped

The tool attempts to enforce a read-only security boundary (SELECT/EXPLAIN only). However, compliance risks remain high if the DEVDB_URL points to databases containing PII or credentials without proper access controls or audit logging.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — While designed as an MCP tool that can integrate into broader agentic workflows, there are no explicit multi-agent coordination or trust boundaries defined in the listing.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).