Coder — agentic threat model
Coder presents a high-risk agentic profile because it provisions real cloud infrastructure via Terraform and grants AI agents shell access inside isolated environments, making secure sandboxing and strict credential isolation critical.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Coder acts as an infrastructure and MCP orchestration layer rather than providing the underlying LLMs. The model layer remains vulnerable to prompt injection, which could be leveraged to execute unauthorized shell commands or manipulate Terraform variables.
Not certain from the listing — The platform manages workspace templates and environment variables, but specific RAG or vector database integrations are not detailed. The primary data risk is the exposure of secrets, environment variables, and source code stored within the provisioned workspaces.
Coder exposes an MCP (Model Context Protocol) surface allowing agents to provision and operate workspaces. The primary threat is tool misuse, where an agent is manipulated into executing destructive Terraform plans or running malicious shell commands within the workspace.
This is Coder's core surface. It uses Terraform-defined, isolated cloud development environments to sandbox agent execution. Threats include container escapes, lateral movement to the self-hosted control plane, and unauthorized access to the host network if the workspace boundaries are misconfigured.
Not certain from the listing — While Coder manages workspace state and connection logs, the listing does not detail active guardrails, real-time prompt monitoring, or agent-specific anomaly detection systems to intercept malicious commands.
Coder relies on a self-hosted control plane, template-level permissions, and secrets handling to enforce boundaries. Security depends on strict role-based access control (RBAC) to prevent agents from accessing templates or credentials outside their authorized scope.
The MCP integration allows external agents to interact with Coder workspaces. This introduces risks of agent-to-agent trust abuse, where a compromised external agent could exploit the workspace provisioning API to spin up unauthorized, costly, or malicious infrastructure.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).