AgentReadyHomeAgent Listing

← Codename Goose

Codename Goose — agentic threat model

8.9AIVSS 8.9 · High

Goose presents a high agentic risk profile due to its ability to autonomously write and execute code directly on the host machine. Its integration with external MCP APIs and lack of default sandboxing means a prompt injection or malicious input could lead to full local system compromise.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.4AARS uplift 0.96Factor sum 6.0/10Threat ×1.0Mitigation ×0.95
Autonomy of Action
0.90
Goal-Driven Planning
0.80
Self-Modification
0.40
Dynamic Tool Use
0.90
Persistent Memory
0.50
Contextual Awareness
0.80
Dynamic Identity
0.30
Multi-Agent Interactions
0.20
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — goose works with 'any LLM', meaning foundation model threats (adversarial prompt injection, model poisoning) depend entirely on the user's chosen backend provider.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — as a local CLI/desktop tool, it accesses local files and codebases, but the listing does not specify if it uses a local vector database or RAG pipeline for codebase indexing.

L3 · Agent Frameworks✓ mapped

High risk of tool misuse and insecure tool integration; goose writes and executes code locally and orchestrates workflows via MCP-enabled APIs, making it highly susceptible to prompt injection leading to arbitrary local command execution.

L4 · Deployment & Infrastructure✓ mapped

Runs locally on-machine as a desktop/CLI application. Without explicit sandboxing, compromised execution or malicious code generation can directly compromise the host operating system and developer environment.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — being open-source and local, observability is likely limited to standard CLI logs, with no built-in real-time guardrails or automated drift/anomaly detection mentioned.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — as a free, open-source local tool, compliance controls (like SOC2, enterprise policy enforcement, or audit logging) are likely absent or left entirely to the user's local environment configuration.

L7 · Agent Ecosystem✓ mapped

Integrates with the Model Context Protocol (MCP) ecosystem. While it acts as an MCP client, interacting with external MCP-enabled APIs introduces risks of cascading failures or data exfiltration if connected to untrusted third-party tools.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).