← Continue (VS Code extension)
Continue (VS Code extension) — agentic threat model
Continue presents a high-risk profile due to its 'Agent mode' executing Model Context Protocol (MCP) servers with potential shell access directly on the developer's local machine. The synchronization of configurations and rules from an external hub introduces a significant supply-chain vector for prompt injection or malicious tool execution.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Continue is model-agnostic and supports various LLMs via config.yaml. Threats depend heavily on the chosen foundation model, including prompt injection, model alignment issues, and adversarial reprogramming.
Ingests local codebase data, documentation, and context providers. Threats include local data exfiltration via malicious prompts, poisoning of local documentation sources, and unauthorized access to sensitive files within the workspace.
Orchestrates agentic behavior using config.yaml and MCP servers. Threats include tool misuse (e.g., executing destructive shell commands via MCP), insecure tool integration, and prompt injection bypassing system-defined rules.
Runs locally as a VS Code extension. Threats include local host compromise and privilege escalation if MCP servers run unsandboxed, as well as insecure storage of API keys and secrets in the local config.yaml.
Not certain from the listing — No explicit mention of built-in evaluation, logging, or guardrails, though rules are injected into every request. Gaps in observability could allow malicious tool executions to go unnoticed.
Syncs configurations and rules from hub.continue.dev. Threats include compromised hub synchronization leading to malicious rule injection, lack of centralized enterprise policy enforcement, and compliance gaps regarding local code processing.
Integrates with external MCP servers and syncs assistants via the hub. Threats include supply chain attacks from compromised third-party MCP servers or malicious assistant configurations downloaded from the hub.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).