AgentReadyHomeAgent Listing

← backlog

backlog — agentic threat model

9.0AIVSS 9.0 · Critical

backlog introduces notable agentic risk due to its 24 MCP tools, event-sourced cross-session storage, and multi-agent coordination capabilities, which could allow persistent manipulation of project states and dependency chains if compromised.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.3AARS uplift 1.67Factor sum 5.9/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.80
Self-Modification
0.30
Dynamic Tool Use
0.80
Persistent Memory
0.90
Contextual Awareness
0.70
Dynamic Identity
0.20
Multi-Agent Interactions
0.60
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — backlog runs inside Claude Code, meaning the underlying foundation model is Claude (Anthropic). It is susceptible to prompt injection attacks that could hijack the 24 MCP tools or manipulate the planning and standup skills.

L2 · Data Operations✓ mapped

Uses event-sourced cross-session storage for tasks, projects, tags, dependencies, and docs. This persistent storage is vulnerable to memory/state poisoning, where an attacker injects malicious tasks or dependencies that persist across sessions.

L3 · Agent Frameworks✓ mapped

The agent framework provides 24 Model Context Protocol (MCP) tools and 7 planning/standup skills. Insecure tool integration or lack of input validation on these tools could allow arbitrary task manipulation, dependency hijacking, or unauthorized state changes.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — As an open-source TypeScript tool for Claude Code, deployment is likely local to the developer's machine. If the host environment is compromised, the event-sourced storage files and local MCP server configurations could be modified.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, evaluation frameworks, or logging mechanisms to detect anomalous tool calls or malicious state changes in the event-sourced database.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The tool lacks explicit mention of authentication, authorization, or access control policies governing who can trigger the MCP tools or modify the persistent project backlog.

L7 · Agent Ecosystem✓ mapped

Explicitly mentions 'agent coordination' and integration with Claude Code. This introduces multi-agent trust risks where a compromised agent in the ecosystem could issue malicious commands to backlog, manipulating project dependencies or task lists.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).