Supabase MCP Server — agentic threat model
The Supabase MCP Server presents a critical security profile due to its capability for arbitrary SQL execution and project management, which can lead to complete database compromise or data exfiltration if prompt injection occurs. While mitigations like read-only mode and project scoping exist, the agentic risk remains extremely high without strict, external enforcement of these controls.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.70 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server is model-agnostic and relies on external LLMs. Threats include prompt injection leading to arbitrary SQL execution or unauthorized project management commands.
Direct access to database schemas, tables, and arbitrary SQL execution. High risk of data exfiltration, data poisoning, and unauthorized modification of database state if malicious inputs are processed.
Orchestrates tool calling for SQL execution, schema inspection, and project management. Vulnerable to tool misuse (arbitrary SQL execution) and insecure tool integration if the calling agent is compromised.
Exposes Postgres query execution and edge-function tooling. Risk of container/host compromise or lateral movement if the database or edge functions are not properly sandboxed.
Not certain from the listing — No explicit mention of logging, monitoring, or guardrails for SQL queries, though read-only mode acts as a hard constraint.
Mentions 'read-only mode toggle' and 'project scoping' as mitigations. However, arbitrary SQL execution bypasses standard application-level authorization unless strict database-level RLS or read-only users are enforced.
Designed specifically to expose tools to other AI agents (MCP protocol). High risk of A2A trust abuse where a compromised upstream agent issues malicious SQL commands.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).