AgentReadyHomeAgent Listing

← claude-dev-helper

claude-dev-helper — agentic threat model

9.3AIVSS 9.3 · Critical

The claude-dev-helper poses a high security risk due to its ability to execute local shell commands (git, VSCode, workflow hooks) directly on a developer's workstation. A malicious repository or prompt injection via git diffs could lead to local code execution and complete host compromise.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.54Factor sum 4.1/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.10
Multi-Agent Interactions
0.20
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on Claude (via Claude Code) as its foundation model. The primary threat is indirect prompt injection where malicious code in a git diff or repository manipulates the model into executing unauthorized shell commands.

L2 · Data Operations✓ mapped

Operates directly on local repository data and git diffs. Threats include data exfiltration of sensitive source code, intellectual property, or hardcoded secrets committed to the repository history.

L3 · Agent Frameworks✓ mapped

Orchestrates actions by shelling out to git and VSCode. Insecure tool integration is a critical threat here; if the plugin fails to sanitize inputs before passing them to shell commands, it could allow arbitrary command injection.

L4 · Deployment & Infrastructure✓ mapped

Runs locally on the developer's workstation without mentioned sandboxing. A compromise of this agent translates directly to local host compromise, arbitrary file access, and potential lateral movement within the developer's local network.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — likely lacks robust local logging, guardrails, or anomaly detection, creating a blind spot where malicious shell executions or file modifications go unnoticed until after execution.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — as a free, open-source local plugin, it lacks formal identity, authorization, or policy enforcement controls, inheriting the full permissions of the local user running the editor.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — operates as a plugin within the Claude Code ecosystem. Threats include cascading failures or trust abuse if other local agents or plugins interact with its workflow hooks.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).