AgentReadyHomeAgent Listing

← Cline (VS Code / JetBrains extension)

Cline (VS Code / JetBrains extension) — agentic threat model

10.0AIVSS 10.0 · Critical

Cline presents an exceptionally high agentic risk posture due to its deep IDE integration, execution of arbitrary third-party plugins from untrusted URLs, and access to local filesystems and shell environments via MCP servers.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.15Factor sum 6.9/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.90
Self-Modification
0.40
Dynamic Tool Use
1.00
Persistent Memory
0.50
Contextual Awareness
0.90
Dynamic Identity
0.30
Multi-Agent Interactions
0.60
Non-Determinism
0.80
Opacity & Reflexivity
0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Cline is model-agnostic and relies on external LLM providers (via API keys). The primary L1 threat is prompt injection bypassing system instructions to abuse powerful local tools.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — While Cline reads local workspace files and codebase context, the listing does not detail a dedicated vector database or RAG pipeline, though local codebase indexing is implied.

L3 · Agent Frameworks✓ mapped

Highly vulnerable. The framework supports dynamic tool registration via package.json schemas and lifecycle hooks. Malicious or poorly written plugins can hijack tool execution, leading to unauthorized local actions.

L4 · Deployment & Infrastructure✓ mapped

Critical risk. Cline runs locally within the user's IDE (VS Code/JetBrains) or CLI. It lacks default sandboxing, meaning compromised plugins or MCP servers run with the user's local OS privileges, exposing SSH keys, environment variables, and local networks.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The listing does not mention built-in guardrails, logging, or observability dashboards to detect anomalous tool calls or malicious plugin behavior at runtime.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — There is no mention of enterprise security controls, policy enforcement engines, or compliance auditing for plugin installation and execution.

L7 · Agent Ecosystem✓ mapped

High risk. The ecosystem allows direct installation of plugins from unverified third-party sources (GitHub, raw URLs, git). This creates a massive vector for supply chain attacks, malicious pull requests, and untrusted code execution.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).