CodeGraphContext — agentic threat model
CodeGraphContext presents a high-risk profile due to its deep integration with local source code repositories and the exposure of raw Cypher query capabilities to LLM agents. Without strict query scoping and sandboxed database credentials, it could easily be exploited to exfiltrate intellectual property or map codebase vulnerabilities.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The specific foundation models used to drive the agent or interpret the Cypher queries are not detailed. Standard LLM risks like prompt injection could lead to unauthorized Cypher query generation.
Ingests the full source tree into a Neo4j graph database. Threats include codebase data exfiltration, unauthorized access to intellectual property, and graph poisoning if malicious code is committed and indexed.
Exposes direct Cypher queries to agents. This creates a significant tool-misuse risk where an agent could execute destructive Cypher commands or bypass intended query scopes to access sensitive parts of the graph.
Requires access to the local file system for real-time file monitoring and connection to a Neo4j instance. Threats include local file disclosure, credential theft (Neo4j URI/password), and potential host compromise if the file monitoring system is exploited.
Not certain from the listing — There is no mention of query logging, guardrails, or anomaly detection to monitor the Cypher queries executed by the agent or to detect malicious codebase mapping behavior.
The listing explicitly notes that query scoping and Neo4j credentials 'matter', indicating that security controls are largely left to the implementer. Lack of built-in fine-grained authorization (AuthZ) is a major risk.
Designed as an MCP tool to expose graph queries to other agents. This introduces agent-to-agent trust abuse risks, where a compromised orchestrator agent could leverage CodeGraphContext to map the entire application architecture for vulnerabilities.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).