Blocks Team — agentic threat model
Blocks Team presents a high-risk profile due to its deep integration into critical development and communication tools (GitHub, Slack, Linear) and its multi-agent capabilities, which could allow a compromise to result in unauthorized code execution or sensitive data exfiltration.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.70 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely relies on external frontier LLMs for code generation. Key threats include prompt injection via Slack messages or GitHub comments, which could trick the model into generating insecure or malicious code.
Not certain from the listing — requires ingestion of codebase repositories, Slack conversations, and Linear tickets. This exposes the agent to data exfiltration risks and context-window poisoning from untrusted files in repositories.
The orchestration framework coordinates actions across Slack, GitHub, and Linear. Insecure tool integration is a major threat, particularly if the agent has the ability to run tests or execute code locally, potentially leading to remote code execution.
Not certain from the listing — likely hosted as a closed-source SaaS. If the agent executes or builds code during its workflow, a lack of robust sandboxing could allow container escape, host compromise, or lateral movement into the hosting infrastructure.
Not certain from the listing — no details are provided regarding logging, guardrails, or output verification. A lack of observability could allow silent drift or malicious code injections to go undetected before pull requests are merged.
Not certain from the listing — requires OAuth integrations with GitHub, Slack, and Linear. The primary risk is over-privileged API tokens (e.g., write access to all repositories) and a lack of fine-grained authorization controls to limit agent actions.
The platform supports invoking 'coding agents of your choice'. This multi-agent ecosystem introduces threats of rogue or compromised third-party agents, leading to agent-to-agent trust abuse and cascading failures across connected enterprise tools.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).