AgentReadyHomeAgent Listing

← claudekit

claudekit — agentic threat model

7.2AIVSS 7.2 · High

claudekit presents a moderate-to-high risk profile as a local npm toolkit with direct filesystem access and multi-agent orchestration capabilities. While it includes security hooks to block sensitive file access, these can be disabled, and execution within the local developer environment exposes the host to potential arbitrary code execution via compromised dependencies or prompt injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.2AARS uplift 0.83Factor sum 4.6/10Threat ×1.0Mitigation ×0.8
Autonomy of Action
0.60
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.70
Persistent Memory
0.30
Contextual Awareness
0.60
Dynamic Identity
0.10
Multi-Agent Interactions
0.80
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — claudekit acts as a toolkit for Claude Code, meaning the underlying foundation model is likely Claude 3.5 Sonnet or similar. It is susceptible to standard LLM risks like prompt injection, which could bypass the toolkit's local guardrails.

L2 · Data Operations✓ mapped

Interacts directly with the local codebase and filesystem. Risks include unauthorized reading of sensitive files (e.g., .env, .git) if the file-security hooks are bypassed, disabled, or fail to cover all paths.

L3 · Agent Frameworks✓ mapped

Orchestrates multiple subagents and executes local tools (TypeScript compiler, linters, checkpoint commands). Vulnerable to tool misuse or command injection if input validation on slash commands or file changes is insufficient.

L4 · Deployment & Infrastructure✓ mapped

Runs locally as an npm package within the user's terminal environment. There is no mention of containerization or sandboxing, meaning a compromise of the tool or its dependencies could lead to local privilege escalation or host compromise.

L5 · Evaluation & Observability✓ mapped

Features real-time error catching and change hooks to enforce quality. However, these guardrails can be session-disabled, creating a potential blind spot where malicious or erroneous code changes bypass checks.

L6 · Security & Compliance (cross-cutting)✓ mapped

Includes file-security hooks to block sensitive-file access, representing a basic client-side policy enforcement mechanism. However, because it is open-source and runs locally, users can easily modify or disable these controls.

L7 · Agent Ecosystem✓ mapped

Employs a multi-agent architecture (6-agent parallel code-review, domain expert subagents). This introduces risks of cascading failures, conflicting instructions, or lateral trust abuse between the primary agent and its subagents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).