Basic Memory — agentic threat model
Basic Memory introduces significant risk of persistent memory poisoning and local file system exposure by allowing agents to read and write markdown files directly on the host. Its agentic risk is driven by its persistent state across sessions, though mitigated by its lack of autonomous execution or dynamic tool-calling capabilities.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.40 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.90 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent relies on external LLMs via the Model Context Protocol (MCP). The primary threat is model reprogramming or prompt injection when poisoned notes from the local markdown knowledge graph are recalled into the active context window.
The core of this agent is local RAG and semantic memory. The primary threats are data poisoning of the local markdown files (which can alter future agent behavior) and lack of input validation on files read from the user's knowledge base, potentially leading to path traversal or unauthorized file access.
The agent framework manages bidirectional note linking and persistent state. Memory poisoning is a critical threat here, as malicious or malformed notes can corrupt the semantic graph, leading to logic bypasses or unexpected tool execution in the orchestrating framework.
The agent runs locally as an MCP tool, reading and writing directly to the host disk. The main threat is directory traversal or arbitrary file write/read if the agent does not strictly sandbox its file operations to a designated workspace directory.
Not certain from the listing — There is no mention of built-in guardrails, logging, or anomaly detection to identify when poisoned notes are being injected into the knowledge graph or when unauthorized file paths are accessed.
Not certain from the listing — The tool relies on the host environment's file permissions for access control. There are no explicit authentication or authorization mechanisms described to restrict which client applications or agents can read/write to the knowledge graph.
As an MCP tool, this agent is designed to be called by other agents. A compromised or malicious upstream agent could abuse this tool to exfiltrate sensitive local files or write malicious payloads into the user's persistent knowledge base.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).