← steampipe-mcp-server (zen4ever)
steampipe-mcp-server (zen4ever) — agentic threat model
This agent acts as a direct bridge between natural language models and sensitive cloud infrastructure metadata via Steampipe SQL queries. While primarily read-only, its access to credentialed cloud APIs across 500+ plugins presents a high-value target for data exfiltration and security posture reconnaissance.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.70 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on external host LLMs (like Claude) via MCP. The primary threat is prompt injection or reprogramming that forces the model to construct malicious SQL queries designed to bypass schema restrictions or exfiltrate specific cloud metadata.
The agent operates as a Zero-ETL query engine over live cloud metadata. Data operations threats include SQL injection via natural-language-to-SQL translation, potentially exposing sensitive configuration data, IAM policies, or credentials stored in cloud metadata tables.
The MCP server exposes Steampipe's SQL querying capabilities as tools. The primary threat is insecure tool integration where the agent executes arbitrary or overly broad SQL queries against the Steampipe Postgres instance without strict input sanitization or query-structure validation.
Not certain from the listing — deployment depends on where the MCP server and Steampipe are hosted. However, the host environment must securely manage and isolate the highly sensitive cloud provider credentials (AWS, GCP, etc.) required by the Steampipe plugins.
Not certain from the listing — there is no mention of built-in query logging, guardrails, or anomaly detection to flag unusual or bulk metadata queries generated by the LLM.
Security relies heavily on the read-only nature of the configured Steampipe plugins. However, there is a risk of privilege creep if the underlying cloud credentials used by the plugins possess write permissions or access to sensitive resource payloads.
In an MCP ecosystem, other connected agents could query this server. A compromised or malicious orchestrator agent could abuse this agent to map out the entire cloud infrastructure attack surface automatically.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).