AgentReadyHomeAgent Listing

← echo-sleuth

echo-sleuth — agentic threat model

8.8AIVSS 8.8 · High

echo-sleuth presents a high-risk profile due to its deep access to sensitive local developer assets (git history and session transcripts) and its capability to autonomously modify and prune Claude Code's persistent memory, making it a prime target for prompt injection and data exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 1.3Factor sum 5.2/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.40
Self-Modification
0.80
Dynamic Tool Use
0.50
Persistent Memory
0.90
Contextual Awareness
0.80
Dynamic Identity
0.10
Multi-Agent Interactions
0.20
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Operates as a Claude Code plugin, inheriting Claude's underlying foundation model. Primary threat is indirect prompt injection via malicious content embedded in mined session histories or git repositories, potentially reprogramming the model's extraction logic.

L2 · Data Operations✓ mapped

Directly accesses highly sensitive data operations by reading local session transcripts and git history. This exposes the agent to data exfiltration risks if malicious code or secrets are present in the history, as well as data poisoning if history files are manipulated.

L3 · Agent Frameworks✓ mapped

Orchestrates memory lifecycle management, including auditing and pruning. Vulnerabilities here include memory poisoning (injecting false 'decisions' or 'mistakes' to bias future Claude sessions) and insecure tool execution when interacting with git CLI or file systems.

L4 · Deployment & Infrastructure✓ mapped

Runs locally within the developer's environment as a Claude Code plugin. If compromised, it poses a threat of local privilege escalation, unauthorized file system access, or lateral movement within the developer's workstation.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in evaluation, logging, or guardrails to monitor the plugin's memory pruning decisions, leaving potential blind spots for silent data corruption or unauthorized deletions.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — as a free, open-source plugin, it lacks explicit compliance certifications, access control policies, or formal audit trails beyond standard git history logs.

L7 · Agent Ecosystem✓ mapped

Integrates directly into the Claude Code ecosystem. A compromise of this plugin could lead to cascading failures or trust abuse, where other plugins or the main Claude agent rely on poisoned or corrupted memory states generated by echo-sleuth.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).