codebase-graph — agentic threat model
The codebase-graph agent presents a moderate-to-high risk profile due to its deep structural analysis of source code across 42 languages and integration with FalkorDB, which could be exploited for automated vulnerability discovery or codebase poisoning if compromised.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.70 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on external Claude Code LLMs. The primary L1 threat is indirect prompt injection via poisoned source code comments parsed by tree-sitter, potentially hijacking the underlying model's execution flow.
The agent builds a knowledge graph using FalkorDB and tree-sitter AST parsing. Threats include graph database poisoning, where malicious code structures manipulate the graph representation, and data exfiltration of sensitive IP contained in the parsed codebase.
Integrates as a Claude Code plugin bundling an MCP (Model Context Protocol) server. Vulnerabilities in the MCP server implementation or insecure tool integration could allow arbitrary code execution or unauthorized filesystem traversal during AST parsing.
Not certain from the listing — deployment context depends on the user's local environment or IDE hosting Claude Code. If run without sandboxing, the MCP server could allow lateral movement or host filesystem compromise.
Not certain from the listing — there are no mentioned logging, evaluation, or guardrail mechanisms to monitor the queries executed against FalkorDB or the AST parsing outputs for anomalous behavior.
Not certain from the listing — as an open-source plugin, it lacks built-in enterprise compliance controls, access policies, or audit logging, relying entirely on the host environment's security posture.
Operates within the Claude Code ecosystem via MCP. A compromised codebase-graph plugin could feed malicious structural intelligence to other connected agents or plugins, leading to cascading trust failures across the developer's toolchain.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).