Databricks databricks-core — agentic threat model
The Databricks databricks-core agent skill presents high risk due to its ability to execute Databricks CLI commands and perform workspace operations, making it a high-value target for privilege escalation and data exfiltration.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.80 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The specific foundation model powering the agent is not disclosed, leaving risks like prompt injection, model-level backdoors, or adversarial manipulation unquantified.
Interacts directly with the Databricks workspace, exposing workspace data, metadata, and configurations to potential exfiltration or unauthorized modification if the agent is compromised.
Executes Databricks CLI commands and workspace operations. High risk of tool misuse, command injection, or unauthorized execution of administrative CLI commands.
Runs locally within the user's CLI environment or agent skill directories. Risks include local privilege escalation, execution of arbitrary CLI commands on the host, and exposure of Databricks configuration files/tokens.
Not certain from the listing — No built-in evaluation, monitoring, logging, or guardrail mechanisms are described, creating potential blind spots in operational auditing.
Relies on the underlying Databricks CLI authentication and authorization (tokens, config files). If the host is compromised, these credentials can be harvested, leading to full workspace compromise.
Acts as a foundational skill that other Databricks skills build on. Vulnerabilities in this core skill can cascade to all dependent skills, leading to widespread ecosystem compromise.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).