Claude Forge — agentic threat model
Claude Forge acts as an orchestrator and extension framework for Claude Code, introducing significant agentic risk through its 11 agents, 36 commands, and 15 skills operating directly in terminal environments. However, its built-in 6-layer security hook stack provides explicit, active mitigation against unauthorized actions.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.40 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.80 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Claude Forge relies on Claude Code (Anthropic's underlying models) as its foundation layer. It does not train or host its own models, leaving it vulnerable to upstream model-level exploits like prompt injection or adversarial reprogramming.
Not certain from the listing — The framework utilizes 'skills' and 'rules' which may ingest local codebase data, but specific vector database integrations or RAG pipelines are not detailed in the directory listing.
Highly relevant. The framework orchestrates 11 agents, 36 commands, and 15 skills. This dense toolset and command execution capability present a high risk of tool misuse, command injection, and insecure tool integration within the local shell environment.
Not certain from the listing — As an 'oh-my-zsh-style' framework, it likely runs locally in the user's terminal/host environment. This poses a high risk of host compromise or privilege escalation if the underlying shell is not sandboxed.
Directly addressed. The framework features a '6-layer security hook stack' designed to intercept agent actions. This provides a structured mechanism for observability, action filtering, and guardrails before commands are executed.
Directly addressed. The 6-layer security hook stack acts as a cross-cutting security control layer to enforce policies, intercept risky commands, and potentially prompt for user authorization before executing agent actions.
Highly relevant. The framework coordinates 11 distinct agents. This multi-agent architecture introduces risks of agent-to-agent trust abuse, cascading failures, and conflicting instructions across different specialized agents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).