Claude Code Router — agentic threat model
Claude Code Router acts as a critical local gateway managing API keys, routing rules, and model providers, presenting a high-risk profile due to its central role in credential handling and dynamic model switching.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.80 | |
| Multi-Agent Interactions | 0.60 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — CCR acts as a gateway to external foundation models (Anthropic, OpenAI, Gemini, DeepSeek) rather than hosting them; threats include upstream model poisoning, adversarial manipulation of routing prompts, and model-specific vulnerabilities.
Not certain from the listing — CCR focuses on routing and API key management rather than RAG or vector stores; data operations risks are limited to transit data exposure and potential caching of sensitive payloads.
The agent framework layer is highly critical due to the custom transformer plugin system and dynamic model switching via `/model` or `ccr model`. Vulnerabilities in the plugin system could allow arbitrary code execution or malicious routing manipulation.
Deployment and infrastructure risks are significant as CCR runs as a local gateway handling API keys for multiple providers. Compromise of the local host or the GitHub Actions integration could lead to complete credential theft and unauthorized API usage.
The listing highlights 'observability' as a key feature. However, insufficient logging of routed payloads or blind spots in the custom transformer plugins could allow malicious prompts or exfiltrated data to pass undetected.
Not certain from the listing — CCR centralizes API keys and routing rules but the listing does not detail built-in authentication, role-based access control (RBAC), or compliance auditing mechanisms for the local gateway.
CCR sits directly between downstream agents (Claude Code, Codex, ZCode) and upstream providers. This multi-agent positioning introduces risks of cascading failures, trust abuse, and credential exploitation across the connected ecosystem.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).