cc-sessions — agentic threat model
cc-sessions introduces structured guardrails and multi-agent orchestration to Claude Code, mitigating unauthorized file modifications through hard approval-gated hooks. However, its deep integration with local git repositories and file systems presents a high-impact vector if its state-restoration or subagent coordination mechanisms are compromised.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.80 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.70 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies entirely on Claude Code's underlying foundation models (Anthropic Claude). Threats include prompt injection bypassing Claude's native safety filters, though cc-sessions attempts to mitigate this downstream via hard hooks.
Uses markdown task files with frontmatter and git branches to persist state. Threats include data poisoning of these markdown files or git history, which could inject malicious context or instructions when the session state is restored.
Orchestrates tasks via Python/Node packages and custom hooks. A key threat is hook bypass or logic flaws in the approval-gating mechanism, allowing unauthorized Edit/Write/MultiEdit actions to execute without user consent.
Runs locally within the developer's environment with direct access to git and the local file system. Compromise of the agent could lead to local arbitrary code execution, privilege escalation, or exposure of local git credentials.
Features a dedicated Logging subagent and approval-gated hooks. Threats include logging evasion, tampering with the logging subagent to hide malicious activities, or social engineering attacks that trick the user into typing trigger phrases.
Implements strong local security controls including git branch enforcement and non-bypassable hooks. However, it lacks centralized policy enforcement or formal authorization mechanisms beyond local developer-level approvals.
Coordinates multiple subagents (Context Gathering, Code Review, Logging). Threats include subagent hijacking, where a compromised subagent feeds malicious code reviews or context to the main agent, leading to cascading trust failures.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).