AgentReadyHomeAgent Listing

← Databricks databricks-core

Databricks databricks-core — agentic threat model

9.3AIVSS 9.3 · Critical

The Databricks databricks-core agent skill presents high risk due to its ability to execute Databricks CLI commands and perform workspace operations, making it a high-value target for privilege escalation and data exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.8Factor sum 5.3/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.60
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.40
Multi-Agent Interactions
0.80
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation model powering the agent is not disclosed, leaving risks like prompt injection, model-level backdoors, or adversarial manipulation unquantified.

L2 · Data Operations✓ mapped

Interacts directly with the Databricks workspace, exposing workspace data, metadata, and configurations to potential exfiltration or unauthorized modification if the agent is compromised.

L3 · Agent Frameworks✓ mapped

Executes Databricks CLI commands and workspace operations. High risk of tool misuse, command injection, or unauthorized execution of administrative CLI commands.

L4 · Deployment & Infrastructure✓ mapped

Runs locally within the user's CLI environment or agent skill directories. Risks include local privilege escalation, execution of arbitrary CLI commands on the host, and exposure of Databricks configuration files/tokens.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in evaluation, monitoring, logging, or guardrail mechanisms are described, creating potential blind spots in operational auditing.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies on the underlying Databricks CLI authentication and authorization (tokens, config files). If the host is compromised, these credentials can be harvested, leading to full workspace compromise.

L7 · Agent Ecosystem✓ mapped

Acts as a foundational skill that other Databricks skills build on. Vulnerabilities in this core skill can cascade to all dependent skills, leading to widespread ecosystem compromise.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).