AiderDesk — agentic threat model
AiderDesk presents a high-risk agentic profile due to its desktop orchestration capabilities, where third-party TypeScript extensions can execute arbitrary code, register custom tools, and hook into 30+ lifecycle events with minimal sandboxing.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.40 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — AiderDesk is model-agnostic and relies on external LLMs via Aider; threats include prompt injection leading to unauthorized execution of registered slash-commands or tools.
Not certain from the listing — The tool operates on local workspace files (e.g., onFileAdded hook); threats include local data exfiltration or unauthorized file modification via malicious prompt injection.
High risk. The framework exposes 30+ lifecycle hooks (onTaskCreated, onToolCalled) and allows TypeScript extensions to register custom tools and slash-commands, creating a massive attack surface for tool misuse and arbitrary code execution.
High risk. As a desktop orchestration app, extensions and tools run locally on the user's machine. Without explicit sandboxing mentioned, compromised extensions can achieve full local host compromise and privilege escalation.
Not certain from the listing — While lifecycle hooks (onToolCalled) exist and could theoretically be used for logging, there is no mention of built-in security guardrails, evaluation, or anomaly detection.
Not certain from the listing — No built-in authentication, authorization, or policy enforcement mechanisms are described for restricting what extensions or tools can execute on the host system.
High risk. The extension ecosystem allows custom agent profiles and third-party TypeScript plugins. A malicious or compromised plugin in the ecosystem can intercept core events and execute arbitrary background scripts.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).