AgentReadyHomeAgent Listing

← Codeium AI

Codeium AI — agentic threat model

9.1AIVSS 9.1 · Critical

Codeium's Windsurf agentic IDE possesses high risk due to its deep integration with local developer environments, file systems, and terminal execution capabilities, making prompt injection or malicious codebase poisoning highly impactful.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.74Factor sum 5.9/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.80
Goal-Driven Planning
0.90
Self-Modification
0.20
Dynamic Tool Use
0.80
Persistent Memory
0.50
Contextual Awareness
0.90
Dynamic Identity
0.30
Multi-Agent Interactions
0.20
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Windsurf relies on proprietary foundation models (like Cascade) which are susceptible to indirect prompt injection via malicious code comments or repository files, potentially leading to unauthorized code generation.

L2 · Data Operations✓ mapped

The agent indexes local codebases and repositories. A major threat is codebase poisoning, where malicious files or dependencies manipulate the agent's context and lead to insecure code suggestions or data exfiltration.

L3 · Agent Frameworks✓ mapped

The orchestration framework manages multi-step coding plans and tool execution. Vulnerabilities here include tool misuse, where the agent is tricked into executing destructive terminal commands or modifying critical configuration files.

L4 · Deployment & Infrastructure✓ mapped

Runs locally on developer machines or remote development containers. If compromised, the agent can be used for local privilege escalation, lateral movement within the corporate network, or accessing local secrets/SSH keys.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The level of real-time guardrails, logging of executed terminal commands, and drift detection is not specified, creating potential blind spots for security teams monitoring developer environments.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — While designed for teams, specific enterprise compliance certifications (e.g., SOC2), access controls, and audit logging capabilities are not detailed in the public directory listing.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — It is unclear if the agent interacts with external agent registries or third-party extension marketplaces, which could introduce supply-chain or cascading trust vulnerabilities.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).