AgentReadyHomeAgent Listing

← CodeGraphContext

CodeGraphContext — agentic threat model

8.6AIVSS 8.6 · High

CodeGraphContext presents a high-risk profile due to its deep integration with local source code repositories and the exposure of raw Cypher query capabilities to LLM agents. Without strict query scoping and sandboxed database credentials, it could easily be exploited to exfiltrate intellectual property or map codebase vulnerabilities.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 1.13Factor sum 4.3/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.40
Goal-Driven Planning
0.20
Self-Modification
0.10
Dynamic Tool Use
0.70
Persistent Memory
0.60
Contextual Awareness
0.80
Dynamic Identity
0.30
Multi-Agent Interactions
0.50
Non-Determinism
0.30
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation models used to drive the agent or interpret the Cypher queries are not detailed. Standard LLM risks like prompt injection could lead to unauthorized Cypher query generation.

L2 · Data Operations✓ mapped

Ingests the full source tree into a Neo4j graph database. Threats include codebase data exfiltration, unauthorized access to intellectual property, and graph poisoning if malicious code is committed and indexed.

L3 · Agent Frameworks✓ mapped

Exposes direct Cypher queries to agents. This creates a significant tool-misuse risk where an agent could execute destructive Cypher commands or bypass intended query scopes to access sensitive parts of the graph.

L4 · Deployment & Infrastructure✓ mapped

Requires access to the local file system for real-time file monitoring and connection to a Neo4j instance. Threats include local file disclosure, credential theft (Neo4j URI/password), and potential host compromise if the file monitoring system is exploited.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of query logging, guardrails, or anomaly detection to monitor the Cypher queries executed by the agent or to detect malicious codebase mapping behavior.

L6 · Security & Compliance (cross-cutting)✓ mapped

The listing explicitly notes that query scoping and Neo4j credentials 'matter', indicating that security controls are largely left to the implementer. Lack of built-in fine-grained authorization (AuthZ) is a major risk.

L7 · Agent Ecosystem✓ mapped

Designed as an MCP tool to expose graph queries to other agents. This introduces agent-to-agent trust abuse risks, where a compromised orchestrator agent could leverage CodeGraphContext to map the entire application architecture for vulnerabilities.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).