AgentReadyHomeAgent Listing

← claude-code-setup

claude-code-setup — agentic threat model

7.7AIVSS 7.7 · High

The claude-code-setup agent presents a moderate-to-high risk profile primarily due to its capability to generate executable configurations, hooks, and recommend third-party MCP servers, which could lead to local code execution or supply chain compromise if manipulated via repository-based prompt injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.8AARS uplift 0.73Factor sum 3.3/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.30
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.80
Dynamic Identity
0.10
Multi-Agent Interactions
0.30
Non-Determinism
0.50
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on Anthropic's Claude models. Primary threats include indirect prompt injection where malicious files within a scanned repository manipulate the underlying model to output compromised configuration recommendations.

L2 · Data Operations✓ mapped

The agent directly reads local repository data to formulate recommendations. This introduces risks of data exfiltration if the agent is compromised, or repository poisoning where malicious codebase structures trick the parser.

L3 · Agent Frameworks✓ mapped

The framework orchestrates codebase analysis to generate hooks, skills, and configurations. Insecure generation of these components could lead to arbitrary code execution if the user blindly applies the suggested configurations.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — presumably runs locally within the user's terminal or IDE environment. If unsandboxed, a compromise of the tool could lead to local privilege escalation or unauthorized access to the host filesystem.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in guardrails, logging, or evaluation mechanisms to verify the safety of the generated configurations before they are presented to the user.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — security controls appear to rely entirely on the user's local operating system permissions and manual review of the generated configuration files.

L7 · Agent Ecosystem✓ mapped

The agent actively recommends subagents, skills, and MCP servers. This introduces significant ecosystem risks, such as recommending malicious or vulnerable third-party MCP servers, facilitating downstream supply chain attacks.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).