consultant — agentic threat model
The 'consultant' plugin introduces agentic risk primarily through its integration into the local development environment (Claude Code) and its use of subagents, making it a high-value target for supply-chain compromise or prompt injection that could lead to unauthorized local command execution.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.60 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely relies on Anthropic's Claude models via the Claude Code CLI. It is susceptible to prompt injection attacks that could hijack the consultant persona or manipulate the advisory outputs.
Not certain from the listing — likely accesses local codebase files and architecture diagrams to perform reviews. This introduces risks of local data exposure or poisoning if malicious files are parsed by the agent.
Orchestrates multi-step reasoning workflows and subagents via slash commands. Vulnerable to insecure orchestration where malicious inputs to slash commands hijack subagent execution paths or trigger unintended tool use.
Not certain from the listing — runs locally as a Claude Code plugin. It inherits the host system's security posture and privileges, meaning a compromise of the plugin could lead to local privilege escalation or arbitrary code execution.
Not certain from the listing — no built-in evaluation, logging, or guardrails are mentioned for the advisory sessions, creating potential blind spots in monitoring agent behavior.
Not certain from the listing — no explicit identity, authorization, or compliance controls are described for this open-source plugin.
Distributed via the 'doodledood marketplace' and spawns 'consultant persona subagents'. This introduces supply-chain risks from the marketplace and potential cascading failures or trust abuse during multi-agent coordination.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).