AgentReadyHomeAgent Listing

← Cursor

Cursor — agentic threat model

7.8AIVSS 7.8 · High

Cursor presents a high-risk profile due to its deep integration with local developer environments, full codebase access, and ability to generate and execute code. A compromise of the IDE or its underlying API connections could lead to arbitrary code execution, local privilege escalation, or massive intellectual property theft.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.69Factor sum 4.4/10Threat ×1.05Mitigation ×0.85
Autonomy of Action
0.40
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.60
Persistent Memory
0.30
Contextual Awareness
0.80
Dynamic Identity
0.20
Multi-Agent Interactions
0.20
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Cursor leverages advanced models like GPT-4. Threats include prompt injection attacks that could trick the model into generating insecure code, introducing subtle backdoors, or bypassing safety filters to leak proprietary system prompts.

L2 · Data Operations✓ mapped

The agent features 'Repo-Wide Understanding', meaning it indexes and processes the entire local codebase. This creates a high risk of data exfiltration of proprietary IP if the indexing data or vector embeddings are insecurely transmitted or stored.

L3 · Agent Frameworks✓ mapped

With features like auto-debugging and lint fixing, the agent orchestrates tool calls to interact with local files and compilers. Insecure tool integration could allow a malicious codebase (via prompt injection in source files) to execute arbitrary commands on the host system.

L4 · Deployment & Infrastructure✓ mapped

As a local IDE fork of VSCode, Cursor runs directly on the developer's machine with user-level privileges. Compromise of the client application or its backend API communication channels could lead to full host compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of real-time guardrails, logging of model outputs, or drift detection mechanisms to monitor the safety of generated code before it is executed or committed.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

The listing highlights 'Privacy Mode' to prevent code from being stored or used for training. However, there is no explicit mention of enterprise compliance standards (like SOC2), role-based access controls, or audit logging for compliance verification.

L7 · Agent Ecosystem✓ mapped

Cursor maintains VSCode compatibility, allowing it to interact with a vast ecosystem of third-party extensions. This introduces supply-chain risks where compromised extensions could interact with or exploit Cursor's agentic capabilities.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).