AgentReadyHomeAgent Listing

← Coder

Coder — agentic threat model

6.7AIVSS 6.7 · Medium

Coder presents a high-risk agentic profile because it provisions real cloud infrastructure via Terraform and grants AI agents shell access inside isolated environments, making secure sandboxing and strict credential isolation critical.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.79Factor sum 6.0/10Threat ×1.1Mitigation ×0.7
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.20
Dynamic Tool Use
0.90
Persistent Memory
0.40
Contextual Awareness
0.80
Dynamic Identity
0.60
Multi-Agent Interactions
0.50
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Coder acts as an infrastructure and MCP orchestration layer rather than providing the underlying LLMs. The model layer remains vulnerable to prompt injection, which could be leveraged to execute unauthorized shell commands or manipulate Terraform variables.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The platform manages workspace templates and environment variables, but specific RAG or vector database integrations are not detailed. The primary data risk is the exposure of secrets, environment variables, and source code stored within the provisioned workspaces.

L3 · Agent Frameworks✓ mapped

Coder exposes an MCP (Model Context Protocol) surface allowing agents to provision and operate workspaces. The primary threat is tool misuse, where an agent is manipulated into executing destructive Terraform plans or running malicious shell commands within the workspace.

L4 · Deployment & Infrastructure✓ mapped

This is Coder's core surface. It uses Terraform-defined, isolated cloud development environments to sandbox agent execution. Threats include container escapes, lateral movement to the self-hosted control plane, and unauthorized access to the host network if the workspace boundaries are misconfigured.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — While Coder manages workspace state and connection logs, the listing does not detail active guardrails, real-time prompt monitoring, or agent-specific anomaly detection systems to intercept malicious commands.

L6 · Security & Compliance (cross-cutting)✓ mapped

Coder relies on a self-hosted control plane, template-level permissions, and secrets handling to enforce boundaries. Security depends on strict role-based access control (RBAC) to prevent agents from accessing templates or credentials outside their authorized scope.

L7 · Agent Ecosystem✓ mapped

The MCP integration allows external agents to interact with Coder workspaces. This introduces risks of agent-to-agent trust abuse, where a compromised external agent could exploit the workspace provisioning API to spin up unauthorized, costly, or malicious infrastructure.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).