devlo — agentic threat model
devlo.ai presents a high-risk profile as an autonomous development assistant with potential write access to code repositories and CI/CD pipelines, making it a prime target for supply chain attacks and intellectual property exfiltration.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely relies on third-party frontier LLMs optimized for code generation. Key threats include prompt injection leading to the generation of insecure or malicious code, and model reprogramming.
Not certain from the listing — likely ingests and indexes proprietary codebases via RAG or vector databases. Key threats include codebase poisoning (injecting malicious comments/code to bias suggestions) and exfiltration of intellectual property.
Not certain from the listing — orchestrates multi-step development tasks. Key threats include tool misuse (e.g., executing destructive git commands or arbitrary shell scripts) and insecure handling of repository write permissions.
Not certain from the listing — likely hosted as a SaaS platform or integrated via IDE/GitHub Apps. Key threats include exposure of repository access tokens, lack of sandboxing during local code execution/testing, and container compromise.
Not certain from the listing — no mention of guardrails or logging mechanisms. Key threats include blind spots regarding malicious code commits and a lack of real-time drift or anomaly detection in generated code patterns.
Not certain from the listing — closed-source paid tool without explicit security certifications (e.g., SOC2) or fine-grained RBAC mentioned. Key threats include unauthorized repository access and lack of auditability for AI-driven changes.
Not certain from the listing — acts as a 'virtual teammate' but does not explicitly detail multi-agent orchestration. Key threats include trust abuse if integrated directly with other automated CI/CD or deployment agents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).