ai-plugins-endorlabs — agentic threat model
The Endor Labs plugin introduces significant risk by installing and executing a local CLI (endorctl) and suggesting code or dependency modifications within a developer's environment. A compromise could lead to arbitrary command execution, source code exfiltration, or malicious dependency injection during guided remediation.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The plugin runs on top of Claude Code. Threats include prompt injection leading to malicious CLI command execution via endorctl or arbitrary code execution during guided remediation.
Not certain from the listing — The plugin accesses local source code, dependency manifests, and scan results. Threats include data exfiltration of proprietary source code to Endor Labs or unauthorized third parties, and poisoning of dependency lockfiles to trick the scanner.
The plugin integrates with Claude Code to execute commands and skills (installing endorctl, running scans). Threats include insecure tool integration where Claude Code is tricked into running arbitrary shell commands instead of or in addition to endorctl, or tool misuse leading to unauthorized code modifications during guided remediation.
Not certain from the listing — The CLI endorctl is installed locally or in the developer's environment. Threats include privilege escalation if endorctl is run with elevated permissions, or execution of untrusted binaries if the installation source is compromised.
Not certain from the listing — No explicit mention of logging, guardrails, or observability for the plugin's actions within Claude Code. Threats include blind spots where malicious code modifications go unnoticed or unauthorized CLI executions are not logged.
Not certain from the listing — Requires authentication to Endor Labs (likely via API keys/tokens). Threats include credential theft of Endor Labs tokens, lack of fine-grained authorization for what the plugin can modify, and compliance gaps regarding code privacy.
The plugin operates within the Claude Code ecosystem as an agentic plugin. Threats include cascading failures if Claude Code chain-calls this plugin with malicious inputs, or if a compromised dependency in the supply chain exploits the scanner itself.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).