AgentReadyHomeAgent Listing

← bureau

bureau — agentic threat model

6.1AIVSS 6.1 · Medium

Bureau acts as a governance and auditing layer for Claude Code, reducing risk through append-only logging and trust-gated dossier promotion. However, its security relies heavily on the integrity of its local storage and the robustness of its consistency-checking mechanisms against adversarial session inputs.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 1.08Factor sum 3.1/10Threat ×1.0Mitigation ×0.8
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.10
Dynamic Tool Use
0.20
Persistent Memory
0.80
Contextual Awareness
0.50
Dynamic Identity
0.10
Multi-Agent Interactions
0.40
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The plugin runs on top of Claude (via Claude Code). Threats include model poisoning or indirect prompt injection where adversarial session content bypasses the consistency checker or tricks the promotion logic.

L2 · Data Operations✓ mapped

Manages session logbooks and cabinet dossiers. Threats include data poisoning of the logbooks, unauthorized promotion of dossiers, and lineage gaps if the append-only integrity is bypassed or tampered with directly on disk.

L3 · Agent Frameworks✓ mapped

Integrates directly as a Claude Code plugin. Threats include framework-level vulnerabilities where Claude Code might be manipulated to bypass the plugin's governance workflow entirely or write directly to dossiers.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Likely runs locally within the user's CLI environment. Threats include local file system compromise, allowing unauthorized modification of the 'append-only' log files or dossiers.

L5 · Evaluation & Observability✓ mapped

Serves as an observability and guardrail tool. Threats include evasion of consistency checks, blind spots in session capture, and the potential for sophisticated adversarial inputs to game the automated consistency verification.

L6 · Security & Compliance (cross-cutting)✓ mapped

Enforces a review/trust workflow (proposed to verified). Threats include weak authorization controls for dossier promotion and lack of cryptographic signatures to verify the identity of the reviewer.

L7 · Agent Ecosystem✓ mapped

Governs the output of Claude Code (an agentic CLI). Threats include A2A trust abuse if other plugins or agents can write directly to the dossiers without going through Bureau's verification workflow.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).