Supabase — agentic threat model
The Supabase MCP server presents an extremely high-risk profile because it grants LLMs direct schema-level database access and edge function deployment capabilities, effectively allowing arbitrary code execution and full data control.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.40 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.70 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing does not specify the underlying foundation model, but any model driving this agent is highly vulnerable to prompt injection that could trigger destructive SQL execution or malicious edge function deployment.
Critical risk. The agent has direct read/write access to all database rows and schema. Threats include massive data exfiltration, unauthorized schema modification, and data poisoning via direct SQL queries.
High risk. Insecure tool integration is the primary threat; if the orchestrating framework fails to validate LLM tool calls, the agent can execute arbitrary database commands or deploy backdoored edge functions.
High risk. The agent can deploy edge functions, which introduces risks of code execution, container/host compromise, and lateral movement within the Supabase infrastructure if credentials are leaked.
Not certain from the listing — There is no mention of built-in guardrails, query logging, or anomaly detection to monitor or block malicious SQL commands generated by the agent.
Critical risk. The agent relies on a highly privileged service-role or access token, violating the principle of least privilege and creating a single point of failure for database security.
High risk. In a multi-agent or marketplace ecosystem, exposing this MCP server allows other potentially compromised agents to abuse the trust relationship and gain full control over the database.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).