AgentReadyHomeAgent Listing

← AugmentClaude Best Claude Skills

AugmentClaude Best Claude Skills — agentic threat model

8.8AIVSS 8.8 · High

The agentic risk is primarily driven by supply chain vulnerabilities, as it serves as a repository of third-party skill plugins for Claude Code that could execute arbitrary local commands if compromised or poorly vetted.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.4AARS uplift 0.4Factor sum 2.5/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.10
Multi-Agent Interactions
0.20
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing describes a plugin repository for Claude Code, not the underlying foundation model itself, though it assumes Claude (Anthropic) models are used.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No specific data operations, vector stores, or RAG pipelines are described, only skill bundles/plugins.

L3 · Agent Frameworks✓ mapped

The agent framework here is Claude Code, extended by these 14 skill plugins. Threats include insecure tool integration, malicious skill execution, or tool misuse if these plugins contain vulnerabilities or malicious code.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment depends entirely on where the user runs Claude Code (e.g., local developer machine, CI/CD). No specific infrastructure is described.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No mention of built-in evaluation, logging, or guardrails for these plugins.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No security controls, authentication, or compliance frameworks are mentioned for the marketplace or the plugins.

L7 · Agent Ecosystem✓ mapped

This is a curated marketplace/ecosystem of skill plugins. Threats include supply chain compromise, rogue/compromised plugins, and trust abuse where a user installs a plugin believing it is safe but it executes malicious commands.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).