AgentReadyHomeAgent Listing

← Supabase MCP Server

Supabase MCP Server — agentic threat model

7.9AIVSS 7.9 · High

The Supabase MCP Server presents a critical security profile due to its capability for arbitrary SQL execution and project management, which can lead to complete database compromise or data exfiltration if prompt injection occurs. While mitigations like read-only mode and project scoping exist, the agentic risk remains extremely high without strict, external enforcement of these controls.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.12Factor sum 5.3/10Threat ×1.1Mitigation ×0.8
Autonomy of Action
0.80
Goal-Driven Planning
0.40
Self-Modification
0.20
Dynamic Tool Use
0.90
Persistent Memory
0.30
Contextual Awareness
0.50
Dynamic Identity
0.60
Multi-Agent Interactions
0.70
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server is model-agnostic and relies on external LLMs. Threats include prompt injection leading to arbitrary SQL execution or unauthorized project management commands.

L2 · Data Operations✓ mapped

Direct access to database schemas, tables, and arbitrary SQL execution. High risk of data exfiltration, data poisoning, and unauthorized modification of database state if malicious inputs are processed.

L3 · Agent Frameworks✓ mapped

Orchestrates tool calling for SQL execution, schema inspection, and project management. Vulnerable to tool misuse (arbitrary SQL execution) and insecure tool integration if the calling agent is compromised.

L4 · Deployment & Infrastructure✓ mapped

Exposes Postgres query execution and edge-function tooling. Risk of container/host compromise or lateral movement if the database or edge functions are not properly sandboxed.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No explicit mention of logging, monitoring, or guardrails for SQL queries, though read-only mode acts as a hard constraint.

L6 · Security & Compliance (cross-cutting)✓ mapped

Mentions 'read-only mode toggle' and 'project scoping' as mitigations. However, arbitrary SQL execution bypasses standard application-level authorization unless strict database-level RLS or read-only users are enforced.

L7 · Agent Ecosystem✓ mapped

Designed specifically to expose tools to other AI agents (MCP protocol). High risk of A2A trust abuse where a compromised upstream agent issues malicious SQL commands.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).