claude-dev-helper — agentic threat model
The claude-dev-helper poses a high security risk due to its ability to execute local shell commands (git, VSCode, workflow hooks) directly on a developer's workstation. A malicious repository or prompt injection via git diffs could lead to local code execution and complete host compromise.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on Claude (via Claude Code) as its foundation model. The primary threat is indirect prompt injection where malicious code in a git diff or repository manipulates the model into executing unauthorized shell commands.
Operates directly on local repository data and git diffs. Threats include data exfiltration of sensitive source code, intellectual property, or hardcoded secrets committed to the repository history.
Orchestrates actions by shelling out to git and VSCode. Insecure tool integration is a critical threat here; if the plugin fails to sanitize inputs before passing them to shell commands, it could allow arbitrary command injection.
Runs locally on the developer's workstation without mentioned sandboxing. A compromise of this agent translates directly to local host compromise, arbitrary file access, and potential lateral movement within the developer's local network.
Not certain from the listing — likely lacks robust local logging, guardrails, or anomaly detection, creating a blind spot where malicious shell executions or file modifications go unnoticed until after execution.
Not certain from the listing — as a free, open-source local plugin, it lacks formal identity, authorization, or policy enforcement controls, inheriting the full permissions of the local user running the editor.
Not certain from the listing — operates as a plugin within the Claude Code ecosystem. Threats include cascading failures or trust abuse if other local agents or plugins interact with its workflow hooks.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).