AgentReadyHomeAgent Listing

← Claude Code Router

Claude Code Router — agentic threat model

8.7AIVSS 8.7 · High

Claude Code Router acts as a critical local gateway managing API keys, routing rules, and model providers, presenting a high-risk profile due to its central role in credential handling and dynamic model switching.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.68Factor sum 4.3/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.10
Dynamic Tool Use
0.70
Persistent Memory
0.40
Contextual Awareness
0.50
Dynamic Identity
0.80
Multi-Agent Interactions
0.60
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — CCR acts as a gateway to external foundation models (Anthropic, OpenAI, Gemini, DeepSeek) rather than hosting them; threats include upstream model poisoning, adversarial manipulation of routing prompts, and model-specific vulnerabilities.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — CCR focuses on routing and API key management rather than RAG or vector stores; data operations risks are limited to transit data exposure and potential caching of sensitive payloads.

L3 · Agent Frameworks✓ mapped

The agent framework layer is highly critical due to the custom transformer plugin system and dynamic model switching via `/model` or `ccr model`. Vulnerabilities in the plugin system could allow arbitrary code execution or malicious routing manipulation.

L4 · Deployment & Infrastructure✓ mapped

Deployment and infrastructure risks are significant as CCR runs as a local gateway handling API keys for multiple providers. Compromise of the local host or the GitHub Actions integration could lead to complete credential theft and unauthorized API usage.

L5 · Evaluation & Observability✓ mapped

The listing highlights 'observability' as a key feature. However, insufficient logging of routed payloads or blind spots in the custom transformer plugins could allow malicious prompts or exfiltrated data to pass undetected.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — CCR centralizes API keys and routing rules but the listing does not detail built-in authentication, role-based access control (RBAC), or compliance auditing mechanisms for the local gateway.

L7 · Agent Ecosystem✓ mapped

CCR sits directly between downstream agents (Claude Code, Codex, ZCode) and upstream providers. This multi-agent positioning introduces risks of cascading failures, trust abuse, and credential exploitation across the connected ecosystem.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).