claudekit — agentic threat model
claudekit presents a moderate-to-high risk profile as a local npm toolkit with direct filesystem access and multi-agent orchestration capabilities. While it includes security hooks to block sensitive file access, these can be disabled, and execution within the local developer environment exposes the host to potential arbitrary code execution via compromised dependencies or prompt injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.80 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — claudekit acts as a toolkit for Claude Code, meaning the underlying foundation model is likely Claude 3.5 Sonnet or similar. It is susceptible to standard LLM risks like prompt injection, which could bypass the toolkit's local guardrails.
Interacts directly with the local codebase and filesystem. Risks include unauthorized reading of sensitive files (e.g., .env, .git) if the file-security hooks are bypassed, disabled, or fail to cover all paths.
Orchestrates multiple subagents and executes local tools (TypeScript compiler, linters, checkpoint commands). Vulnerable to tool misuse or command injection if input validation on slash commands or file changes is insufficient.
Runs locally as an npm package within the user's terminal environment. There is no mention of containerization or sandboxing, meaning a compromise of the tool or its dependencies could lead to local privilege escalation or host compromise.
Features real-time error catching and change hooks to enforce quality. However, these guardrails can be session-disabled, creating a potential blind spot where malicious or erroneous code changes bypass checks.
Includes file-security hooks to block sensitive-file access, representing a basic client-side policy enforcement mechanism. However, because it is open-source and runs locally, users can easily modify or disable these controls.
Employs a multi-agent architecture (6-agent parallel code-review, domain expert subagents). This introduces risks of cascading failures, conflicting instructions, or lateral trust abuse between the primary agent and its subagents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).