AgentReadyHomeAgent Listing

← Anthropic's Claude Computer use

Anthropic's Claude Computer use — agentic threat model

8.0AIVSS 8.0 · High

Claude Code operates with high agentic risk due to its direct integration into the developer's terminal, granting it the ability to execute shell commands, modify local codebases, and potentially access sensitive credentials, though mitigated slightly by visible reasoning features like the scratchpad.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.91Factor sum 5.8/10Threat ×1.05Mitigation ×0.85
Autonomy of Action
0.80
Goal-Driven Planning
0.90
Self-Modification
0.30
Dynamic Tool Use
0.90
Persistent Memory
0.40
Contextual Awareness
0.80
Dynamic Identity
0.30
Multi-Agent Interactions
0.20
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Utilizes Claude's foundation models with extended thinking capabilities. Highly vulnerable to indirect prompt injection if the agent processes untrusted files, pull requests, or external documentation containing malicious instructions designed to hijack the model's reasoning.

L2 · Data Operations✓ mapped

Operates directly on local codebases, reading files, git history, and terminal outputs. Risks include data exfiltration of proprietary source code if the agent is manipulated into sending codebase contents to external endpoints, or codebase poisoning where malicious local files manipulate the agent's behavior.

L3 · Agent Frameworks✓ mapped

Orchestrates multi-step terminal commands, file editing, and test execution. The primary threat is tool misuse, where prompt injection or planning errors lead the agent to execute destructive shell commands (e.g., deleting files, modifying system configurations, or installing malicious dependencies).

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — the exact sandboxing mechanisms for local terminal execution are not detailed. If run directly on the host system without containerization, a compromise of the agent leads directly to host compromise, privilege escalation, and lateral movement using the developer's local SSH keys and cloud credentials.

L5 · Evaluation & Observability✓ mapped

Provides observability through a 'scratchpad' and 'extended thinking mode' that reveals its reasoning process. However, security blind spots remain if there is no independent, tamper-proof logging of the actual shell commands executed by the agent versus what it reports in the scratchpad.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — specific enterprise compliance controls, command whitelisting, or human-in-the-loop approval configurations are not detailed. Without strict policy enforcement, the agent may violate compliance by committing unreviewed code or accessing unauthorized environments.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — there is no explicit mention of multi-agent orchestration or marketplace integrations. The primary ecosystem risk is limited to cascading failures if the agent interacts with local CI/CD pipelines or automated git hooks.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).