AgentReadyHomeAgent Listing

← Create Plugin (Cursor)

Create Plugin (Cursor) — agentic threat model

6.4AIVSS 6.4 · Medium

This agent presents a moderate risk profile because it operates locally within a developer's workspace with file-writing capabilities, though its scope is limited to scaffolding and validating Cursor plugin manifests.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.3AARS uplift 0.78Factor sum 2.1/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.10
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.10
Multi-Agent Interactions
0.10
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying LLM used by Cursor to drive the scaffolding commands is not specified. Standard threats like prompt injection could theoretically force the agent to generate malicious boilerplate code or invalid manifests.

L2 · Data Operations✓ mapped

The agent reads local workspace files, specifically manifest files and component paths, to perform validation. Risks include path traversal or reading sensitive workspace files if validation inputs are manipulated.

L3 · Agent Frameworks✓ mapped

The agent orchestrates file writing and validation commands. Insecure tool integration is a risk if the scaffolding tool can be coerced into writing files outside the designated target directory.

L4 · Deployment & Infrastructure✓ mapped

Runs locally as a Cursor IDE plugin. The primary threat is local privilege escalation or arbitrary file writes within the user's local workspace, potentially leading to local code execution if malicious files are scaffolded.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, guardrails, or telemetry to monitor the scaffolding and validation actions for anomalous behavior.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent is open source and free, but lacks explicit mention of security audits, sandboxing, or strict access control policies governing which workspace directories it is allowed to modify.

L7 · Agent Ecosystem✓ mapped

The agent produces plugins conforming to the Cursor specification, which may be published to a wider ecosystem. Compromise of this agent could lead to the creation and distribution of supply-chain style malicious plugins.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).