Code as Policies — agentic threat model
Code as Policies presents a high-risk profile due to its cyber-physical nature, where LLM-generated code directly controls physical robotic hardware. The lack of built-in sandboxing or safety guardrails in the open-source framework description elevates the potential for physical harm or property damage via prompt injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Uses LLMs for program synthesis and policy generation. Vulnerable to prompt injection, adversarial examples, and model reprogramming that could force the model to generate unsafe or destructive robotic control code.
Not certain from the listing — No details on training data, RAG, or vector stores are provided, but poisoning of the perception data or code-generation training sets could result in systematically flawed physical policies.
The framework orchestrates robotic control via hierarchical code generation. A major threat is insecure tool integration and tool misuse, where synthesized code executes unsafe physical actions or misinterprets perception APIs.
Not certain from the listing — The deployment environment and sandboxing mechanisms for executing the generated code are unspecified. Executing LLM-synthesized code directly on robotic hardware without strict sandboxing poses extreme physical and infrastructure compromise risks.
Not certain from the listing — There is no mention of real-time monitoring, execution guardrails, or anomaly detection to intercept unsafe generated policies before they are physically executed by the robot.
Not certain from the listing — No identity, authorization, or compliance frameworks are described to restrict who can issue natural language commands to the robot or to audit the generated policies.
Not certain from the listing — Multi-agent or marketplace interactions are not detailed, but deploying this framework across a fleet of robots could lead to cascading physical failures if one compromised agent propagates malicious policies.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).