← context-engineering (addyosmani/agent-skills)
context-engineering (addyosmani/agent-skills) — agentic threat model
This agent skill focuses on context-window budgeting and summarization for large codebases, presenting a moderate risk of indirect prompt injection and data omission if malicious content within the analyzed codebase manipulates the compaction logic.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.60 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — assumes an underlying LLM capable of summarization. The primary threat is indirect prompt injection, where malicious instructions embedded in codebase files hijack the model's context-engineering instructions.
Directly processes codebase data for loading and compaction. Threat: Data poisoning within the codebase (e.g., malicious comments) can manipulate the summarization process, leading to critical security code being omitted or misrepresented.
Acts as an orchestration skill managing context memory. Threat: Logic flaws in the context-budgeting algorithm could lead to state exhaustion, truncation of system instructions, or memory poisoning during the compaction phase.
Not certain from the listing — deployment is local or host-dependent as an open-source skill. Threat: If the host environment lacks sandboxing, the file-loading mechanisms used to ingest codebases could be exploited for path traversal.
Not certain from the listing — no monitoring or logging of the context-engineering decisions is detailed. Threat: Blind spots where developers cannot easily audit what context was discarded or summarized, leading to silent failures.
Not certain from the listing — no built-in compliance, data classification, or access controls are mentioned. Threat: Sensitive data (e.g., hardcoded API keys) in the codebase might be summarized and sent to external LLM APIs without filtering.
Not certain from the listing — does not explicitly detail multi-agent interactions. Threat: In a multi-agent setup, a compromised peer agent could feed bloated or adversarial context to exhaust this agent's token budget.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).