doc-driven-development — agentic threat model
This agent presents a high-risk profile due to its ability to execute code modifications directly on a local working tree based on markdown instructions, making it highly susceptible to prompt injection via malicious documentation.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.40 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on Claude Code's underlying Claude models. Vulnerable to indirect prompt injection if a malicious markdown design document contains instructions that hijack the model's reasoning to write backdoors into the codebase.
The agent treats local markdown files as the primary source of truth. If these files are poisoned or modified by an untrusted actor (e.g., via a malicious git pull), the agent will faithfully implement the malicious specifications.
Implements a plan-from-markdown workflow that translates high-level documentation into file system edits. Vulnerabilities in the parsing or execution of these plans could lead to arbitrary file writes or directory traversal within the working tree.
Not certain from the listing — as a Claude Code plugin, it likely runs locally on a developer's workstation. If not sandboxed, compromised execution could lead to full host compromise, local credential theft, or unauthorized code commits.
Not certain from the listing — there is no mention of built-in guardrails, dry-run verifications, or semantic diff evaluations to ensure the generated code matches the safe intent of the documentation before applying changes.
Not certain from the listing — lacks explicit authorization controls or policy enforcement mechanisms to restrict which directories or files the agent is permitted to modify based on the markdown input.
Operates as a plugin within the Claude Code ecosystem. It interacts directly with the host environment's developer tools, creating a risk of cascading compromise if chained with other local development plugins.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).