AgentReadyHomeAgent Listing

← Vanna AI

Vanna AI — agentic threat model

8.1AIVSS 8.1 · High

Vanna AI presents a high-risk profile primarily due to its direct interaction with enterprise databases. While it excels at NL-to-SQL translation, the potential for prompt injection leading to unauthorized SQL execution or data exfiltration requires strict downstream execution guardrails.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.51Factor sum 3.4/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.40
Goal-Driven Planning
0.30
Self-Modification
0.20
Dynamic Tool Use
0.50
Persistent Memory
0.40
Contextual Awareness
0.60
Dynamic Identity
0.10
Multi-Agent Interactions
0.00
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Vanna AI is model-agnostic but relies on LLMs for NL-to-SQL translation. Threats include adversarial prompt injection to generate malicious SQL, or model poisoning if trained on malicious schemas.

L2 · Data Operations✓ mapped

Vanna AI trains on database schemas, metadata, and query history. Threats include training data poisoning (injecting malicious schemas to bias SQL generation) and data exfiltration of sensitive schema structures.

L3 · Agent Frameworks✓ mapped

As a Python-based framework translating NL to SQL, threats include insecure tool integration where generated SQL is executed directly without sanitization, leading to SQL injection or unauthorized data modification.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Vanna AI supports customizable deployment (self-hosted or cloud). Threats depend on hosting environment, including exposed database credentials or lack of network isolation between the agent and databases.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — Continuous learning from user interactions is mentioned, but lack of explicit guardrails or query validation mechanisms could lead to undetected drift or execution of harmful queries.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Being open-source, compliance and access control (RBAC) are delegated to the implementer. Risks include lack of native audit logging for generated vs. executed queries.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — No multi-agent or marketplace interactions are described, making ecosystem threats minimal unless integrated into larger agentic workflows.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).