ccstatusline — agentic threat model
ccstatusline is a local CLI statusline utility with low inherent agentic autonomy, but it presents a significant supply chain risk (via npm/npx execution) and potential exposure of sensitive Claude Code session data if compromised.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.00 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.10 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.10 | |
| Opacity & Reflexivity | 0.10 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — ccstatusline is a local CLI rendering tool and does not directly host or execute foundation models, though it visualizes status for Claude Code.
Not certain from the listing — The tool reads session JSON piped from Claude Code, but does not manage vector databases, RAG pipelines, or training data operations.
Integrates directly with Claude Code's statusLine hook. If the session JSON parsed by the tool is manipulated or contains malicious payloads, it could exploit parsing vulnerabilities within the statusline script.
Runs locally on the developer's machine via 'npx ccstatusline@latest'. This introduces a critical supply chain risk where a compromise of the npm package could lead to arbitrary code execution on the host system.
Not certain from the listing — There are no mentioned evaluation, guardrail, or observability logging mechanisms built into this statusline renderer.
Lacks explicit security controls, authentication, or sandboxing; it runs with the permissions of the local user executing the Claude Code CLI.
Acts as an ecosystem plugin for Claude Code. A compromised statusline plugin could exfiltrate sensitive session data, commands, or code snippets piped from the main Claude Code agent.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).