Continue CLI — agentic threat model
The Continue CLI presents a high-risk profile due to its headless execution in privileged environments like CI/CD pipelines and developer terminals, where it autonomously runs MCP tools with shell access. A compromise could lead to severe supply chain attacks, unauthorized code modification, and secret exfiltration.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The CLI runs headlessly and supports various models configured via block-based config, but specific foundation models, their alignment, or vulnerability to adversarial prompt injection are not detailed.
Not certain from the listing — While the agent operates on codebase context in CI/PRs, the listing does not detail specific vector stores, RAG pipelines, or data lineage controls.
The CLI orchestrates MCP (Model Context Protocol) tools and applies rules autonomously. The primary threat is insecure tool integration, where malicious or poorly configured MCP servers get shell/tool access, leading to arbitrary code execution.
The agent runs in CI/CD (GitHub Actions) and local terminal environments. This creates a high risk of container/host compromise, privilege escalation via CI runner tokens, and lateral movement if the runner has access to internal networks.
Not certain from the listing — There is no explicit mention of built-in guardrails, real-time monitoring, or evaluation frameworks within the CLI itself to detect drift or malicious tool calls.
The agent operates in highly sensitive environments with access to code repositories and secrets (via GitHub Actions). The lack of strict authorization controls over which MCP tools can be executed poses a significant compliance and security risk.
The agent integrates with third-party MCP servers and the GitHub ecosystem. This introduces supply chain risks where compromised hub rules or malicious MCP servers can abuse the trust relationship to execute unauthorized actions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).