sqlens-mcp — agentic threat model
sqlens-mcp presents a moderate security risk primarily centered on data exfiltration and credential exposure. While restricted to a read-only surface (SELECT/EXPLAIN), prompt injection can still be leveraged to scrape sensitive database schemas and records via the exposed DEVDB_URL connection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing does not specify the underlying LLM used, but any model driving this tool is vulnerable to prompt injection that could craft malicious SELECT queries to exfiltrate sensitive database records.
The agent directly queries local development databases (Postgres, MySQL, SQLite) via a single DEVDB_URL. The primary threat is unauthorized data exfiltration/scraping of sensitive development or seeded production data through the read path.
Implements the Model Context Protocol (MCP) to expose database inspection tools. Vulnerable to tool misuse where an LLM is manipulated into executing resource-intensive queries (DoS) or extracting schema metadata to map the network.
Configured via a single DEVDB_URL environment variable containing database credentials. If the hosting environment or MCP server is compromised, these credentials can be stolen, leading to direct database access.
Not certain from the listing — There is no mention of query logging, guardrails, or anomaly detection to flag suspicious or overly broad SELECT queries before they execute.
The tool attempts to enforce a read-only security boundary (SELECT/EXPLAIN only). However, compliance risks remain high if the DEVDB_URL points to databases containing PII or credentials without proper access controls or audit logging.
Not certain from the listing — While designed as an MCP tool that can integrate into broader agentic workflows, there are no explicit multi-agent coordination or trust boundaries defined in the listing.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).