AgentReadyHomeAgent Listing

← Databricks databricks-ai-functions

Databricks databricks-ai-functions — agentic threat model

7.6AIVSS 7.6 · High

This agent skill generates SQL and pipeline code to execute AI functions directly against a user's Databricks warehouse. While it leverages Databricks' native security controls, the generation of executable database code introduces significant risks of prompt-injection-driven SQL execution and unauthorized data access.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.43Factor sum 2.9/10Threat ×1.0Mitigation ×0.85
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.10
Dynamic Tool Use
0.60
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.20
Multi-Agent Interactions
0.10
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the specific foundation models invoked by the generated SQL (via ai_query) are managed externally or via Databricks Model Serving, making them susceptible to prompt injection or model misalignment if untrusted inputs are passed to the SQL functions.

L2 · Data Operations✓ mapped

The agent directly interacts with Databricks warehouse data by generating SQL queries. Threats include data exfiltration, unauthorized table access, and data corruption if the generated SQL contains logical flaws or is manipulated via injection.

L3 · Agent Frameworks✓ mapped

As an 'Agent Skill' that encodes function signatures and usage patterns, framework vulnerabilities could lead to the generation of insecure or malicious SQL pipelines, effectively misusing the database as an execution tool.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — the execution environment is the user's Databricks workspace and SQL warehouses. Security relies heavily on workspace isolation, secure cluster policies, and network firewalls to prevent lateral movement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — monitoring and observability depend on Databricks' native system tables, query history, and Unity Catalog lineage rather than any built-in agent-specific guardrails or logging mechanisms.

L6 · Security & Compliance (cross-cutting)✓ mapped

Access control and governance are managed by Databricks Unity Catalog. The generated SQL runs under the executing user's identity, requiring strict row- and column-level security policies to prevent privilege escalation.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — there is no indication of multi-agent orchestration or ecosystem-level interactions beyond standard integration into Databricks data pipelines.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).