AgentReadyHomeAgent Listing

← Claude Code LSPs

Claude Code LSPs — agentic threat model

9.3AIVSS 9.3 · Critical

This agent plugin marketplace introduces significant risk by executing third-party Language Server Protocol (LSP) binaries directly within the Claude Code environment, creating a high-impact vector for local code execution and workspace compromise.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.51Factor sum 3.9/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.70
Dynamic Identity
0.10
Multi-Agent Interactions
0.40
Non-Determinism
0.50
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Claude Code LSPs rely on Claude's underlying foundation model (likely Claude 3.5 Sonnet) for reasoning, making it susceptible to prompt injection attacks that could trick the model into misinterpreting diagnostic outputs or executing malicious LSP commands.

L2 · Data Operations✓ mapped

The plugins process local workspace files, codebases, and ASTs to generate diagnostics and definitions. This introduces risks of data exfiltration if a compromised LSP server sends local proprietary code to unauthorized external endpoints.

L3 · Agent Frameworks✓ mapped

The core risk lies in insecure tool integration. Claude Code orchestrates these 26 plugins as tools; if a plugin or its bundled LSP server is compromised, the agent framework may execute arbitrary code or parse malicious files under the guise of standard language diagnostics.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment context is Claude Code (typically run locally in a developer's terminal). If these installable LSP packages run without strict containerization or sandboxing, a malicious LSP binary could achieve full local host compromise and privilege escalation.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of evaluation, logging, or guardrails to monitor the inputs/outputs of the LSP servers or to detect anomalous behavior when Claude interacts with the installed plugins.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The marketplace lacks explicit mention of security compliance, code signing, vulnerability scanning, or static analysis for the 26 hosted plugins and 29 bundled language servers.

L7 · Agent Ecosystem✓ mapped

This is a classic marketplace ecosystem risk. Users install third-party packaged plugins directly into their Claude Code agent. A single compromised or malicious LSP package in this registry could lead to supply-chain attacks cascading across developer environments.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).