Continue — agentic threat model
Continue poses a moderate-to-high risk due to its deep integration into the developer's local IDE and codebase, where prompt injection could lead to unauthorized file modification or data exfiltration of sensitive intellectual property to external LLM providers.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Allows connecting to any local or remote model. This flexibility introduces risks of model poisoning, data leakage to untrusted commercial endpoints, and susceptibility to adversarial prompt injection that can manipulate code generation.
Utilizes codebase understanding, embeddings, and documentation integration. This creates a vector for codebase poisoning, where malicious files in a repository could corrupt the RAG context and lead the assistant to suggest insecure code.
Features slash commands and file management capabilities. If compromised via prompt injection, these tools could be abused to overwrite local files, execute unauthorized commands, or leak sensitive environment variables.
Deploys locally as a VS Code or JetBrains IDE extension. It inherits the developer's local user privileges, meaning a compromise of the extension could lead to local host compromise, access to SSH keys, or lateral network movement.
Not certain from the listing — The description does not detail built-in guardrails, telemetry, or security observability features, meaning detection of malicious prompt injections or anomalous file modifications relies entirely on external IDE or host monitoring.
Not certain from the listing — There is no mention of enterprise compliance certifications (e.g., SOC2, ISO) or centralized policy enforcement, though its open-source nature allows organizations to self-audit and configure local-only models for compliance.
Not certain from the listing — The tool operates primarily as a single-user developer assistant and does not indicate multi-agent collaboration or marketplace interactions that could trigger cascading ecosystem failures.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).