AgentReadyHomeAgent Listing

← Continue CLI

Continue CLI — agentic threat model

9.6AIVSS 9.6 · Critical

The Continue CLI presents a high-risk profile due to its headless execution in privileged environments like CI/CD pipelines and developer terminals, where it autonomously runs MCP tools with shell access. A compromise could lead to severe supply chain attacks, unauthorized code modification, and secret exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.77Factor sum 5.8/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.60
Self-Modification
0.20
Dynamic Tool Use
0.90
Persistent Memory
0.30
Contextual Awareness
0.80
Dynamic Identity
0.50
Multi-Agent Interactions
0.40
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The CLI runs headlessly and supports various models configured via block-based config, but specific foundation models, their alignment, or vulnerability to adversarial prompt injection are not detailed.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — While the agent operates on codebase context in CI/PRs, the listing does not detail specific vector stores, RAG pipelines, or data lineage controls.

L3 · Agent Frameworks✓ mapped

The CLI orchestrates MCP (Model Context Protocol) tools and applies rules autonomously. The primary threat is insecure tool integration, where malicious or poorly configured MCP servers get shell/tool access, leading to arbitrary code execution.

L4 · Deployment & Infrastructure✓ mapped

The agent runs in CI/CD (GitHub Actions) and local terminal environments. This creates a high risk of container/host compromise, privilege escalation via CI runner tokens, and lateral movement if the runner has access to internal networks.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no explicit mention of built-in guardrails, real-time monitoring, or evaluation frameworks within the CLI itself to detect drift or malicious tool calls.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent operates in highly sensitive environments with access to code repositories and secrets (via GitHub Actions). The lack of strict authorization controls over which MCP tools can be executed poses a significant compliance and security risk.

L7 · Agent Ecosystem✓ mapped

The agent integrates with third-party MCP servers and the GitHub ecosystem. This introduces supply chain risks where compromised hub rules or malicious MCP servers can abuse the trust relationship to execute unauthorized actions.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).