AgentReadyHomeAgent Listing

← Databricks databricks-genie

Databricks databricks-genie — agentic threat model

7.3AIVSS 7.3 · High

The Databricks Genie agent skill presents a high-risk profile due to its direct access to enterprise data environments via NL-to-SQL translation. While protected by Databricks' underlying security architecture, its experimental nature and potential for prompt-injection-driven data exfiltration require strict query-level guardrails.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.66Factor sum 4.4/10Threat ×1.0Mitigation ×0.8
Autonomy of Action
0.50
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.70
Persistent Memory
0.30
Contextual Awareness
0.60
Dynamic Identity
0.50
Multi-Agent Interactions
0.20
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation model powering the Genie NL-to-SQL translation is not disclosed, leaving it vulnerable to model-specific prompt injection, adversarial manipulation, or indirect prompt injection via database contents.

L2 · Data Operations✓ mapped

Directly reads and queries data in the user's Databricks environment. This introduces significant risks of unauthorized data access, data exfiltration, and schema exposure if the agent is manipulated into running overly permissive SQL queries.

L3 · Agent Frameworks✓ mapped

The agent framework orchestrates Genie space setup and SQL generation. Insecure tool integration is a primary threat, as malicious inputs could lead to SQL injection or unauthorized execution of administrative database commands.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — While presumably hosted within the secure Databricks infrastructure, the listing does not detail the specific sandboxing, network isolation, or container security controls applied to this experimental skill.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, query validation, or logging mechanisms to monitor and audit the generated SQL queries before execution.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent operates within the user's Databricks environment, meaning it likely inherits Unity Catalog governance and IAM policies. However, as an 'experimental' skill, it may lack formal compliance certifications.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — The agent is described as a standalone skill for Genie setup and querying, with no explicit multi-agent collaboration or external marketplace interactions mentioned.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).