Teradata MCP Server — agentic threat model
The Teradata MCP Server introduces high agentic risk due to administrative database capabilities and a single highly-privileged credential, making prompt injection a direct vector for unauthorized database modification and data exfiltration.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is not specified, but it is vulnerable to prompt injection attacks that could be translated into malicious SQL queries or administrative commands.
Directly interfaces with Teradata databases for querying, analysis, and AI/ML pipelines. The primary threat is unauthorized data exfiltration, data poisoning, or destructive schema modifications via SQL injection or prompt-driven manipulation.
The agent framework exposes database administration and querying tools. Insecure tool integration is a critical threat, as a single DATABASE_URI credential allows the agent to execute highly privileged administrative operations without sufficient isolation.
The deployment relies on a single DATABASE_URI containing privileged credentials. Compromise of the hosting environment or container would expose these credentials, leading to full database compromise and potential lateral movement.
Not certain from the listing — There is no explicit mention of query logging, guardrails, or anomaly detection to monitor and intercept malicious administrative commands generated by the agent.
The listing claims 'enterprise security controls' are integrated, but the reliance on a single privileged connection string suggests a lack of granular, user-level authorization and auditability for agent-initiated actions.
As an MCP (Model Context Protocol) server, this agent is designed to link other AI agents to Teradata. This creates a significant risk of cascading failures and trust abuse if upstream agents pass untrusted inputs that trigger administrative tools.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).