AgentReadyHomeAgent Listing

← Claude Code Commands Marketplace

Claude Code Commands Marketplace — agentic threat model

9.2AIVSS 9.2 · Critical

The Claude Code Commands Marketplace presents a high supply-chain risk, as it allows users to install over 100 unvetted community plugins directly into their local Claude Code agent, potentially leading to arbitrary code execution and host compromise.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.45Factor sum 3.4/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.60
Dynamic Tool Use
0.80
Persistent Memory
0.10
Contextual Awareness
0.20
Dynamic Identity
0.10
Multi-Agent Interactions
0.10
Non-Determinism
0.50
Opacity & Reflexivity
0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The marketplace distributes commands for Claude Code, which relies on Anthropic's Claude models. Threats include model reprogramming or prompt injection via malicious plugin prompts, but the listing does not specify model-level controls.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — There is no mention of dedicated vector stores or RAG datasets, though plugins may access local files or codebase data during execution, risking data exfiltration.

L3 · Agent Frameworks✓ mapped

The marketplace directly extends the Claude Code agent framework via `/plugin marketplace add`. The primary threat is insecure tool integration and tool misuse, as 100+ community-contributed plugins can introduce arbitrary execution capabilities.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Claude Code typically runs locally on a developer's machine. Malicious plugins pose a severe threat of container/host compromise, privilege escalation, and local credential theft.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There are no mentioned guardrails, evaluation suites, or logging mechanisms to monitor plugin behavior or detect anomalous commands.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No identity, authorization, or policy enforcement mechanisms are described for verifying the safety or origin of the 100+ community commands.

L7 · Agent Ecosystem✓ mapped

As an open-source marketplace with 100+ community entries, this represents a classic supply chain risk. Rogue or compromised plugins can be distributed to users, leading to cascading failures and compromised developer environments.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).