AgentReadyHomeAgent Listing

← dash0

dash0 — agentic threat model

6.9AIVSS 6.9 · Medium

Dash0 is an observability plugin for Claude Code that poses a moderate-to-high data exposure risk, as it captures and transmits sensitive session telemetry (including LLM invocations and tool calls) to external OTel backends without built-in sanitization or security controls mentioned.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.42Factor sum 1.2/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.10
Goal-Driven Planning
0.00
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.10
Multi-Agent Interactions
0.20
Non-Determinism
0.10
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The plugin does not provide foundation models itself, but because it intercepts LLM invocations from Claude Code, any vulnerabilities in the underlying model (like prompt injection) could result in malicious payloads being captured and logged in the telemetry stream.

L2 · Data Operations✓ mapped

The plugin captures and processes session data, tool calls, and LLM inputs/outputs. The primary threat is data exfiltration or leakage of sensitive information (such as API keys, PII, or proprietary code) contained within those traces to unauthorized OTel backends.

L3 · Agent Frameworks✓ mapped

Instruments Claude Code sessions via hooks. If the hook mechanism is compromised, an attacker could manipulate the telemetry data, bypass logging, or exploit the integration to intercept tool execution details.

L4 · Deployment & Infrastructure✓ mapped

Telemetry is sent to Dash0 or any OTel-compatible backend. Threats include insecure transmission (lack of TLS), unauthorized access to the OTel collector, or interception of the telemetry stream in transit.

L5 · Evaluation & Observability✓ mapped

As an observability tool, its main risk is the accidental logging of sensitive data (credentials, secrets, PII) in traces, creating a high-value target for attackers looking to harvest credentials from monitoring logs.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — There is no mention of access control, encryption at rest/in transit, or compliance certifications (like SOC2) for how the captured telemetry data is handled and secured.

L7 · Agent Ecosystem✓ mapped

The plugin operates within the Claude Code ecosystem. If Claude Code interacts with other agents, this plugin could inadvertently capture and expose multi-agent interaction traces, leading to cascading data exposure across the ecosystem.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).