AgentReadyHomeAgent Listing

← github-sensitive-data-cleanup

github-sensitive-data-cleanup — agentic threat model

7.8AIVSS 7.8 · High

The github-sensitive-data-cleanup agent possesses a high-risk profile due to its write and force-push access to git repositories, where a compromise or LLM hallucination could result in permanent data loss, repository corruption, or the exfiltration of discovered secrets.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.72Factor sum 4.6/10Threat ×1.05Mitigation ×0.85
Autonomy of Action
0.70
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.70
Multi-Agent Interactions
0.10
Non-Determinism
0.40
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the specific foundation models used for PII/secret detection are not disclosed. If LLMs are used for classification, they are vulnerable to prompt injection that could trick the agent into ignoring actual secrets or falsely flagging and deleting benign code.

L2 · Data Operations✓ mapped

The agent processes highly sensitive data, specifically git history containing leaked secrets, API keys, and PII. There is a severe risk of data exfiltration if the agent's memory or output channels are compromised, potentially exposing the very secrets it is tasked with cleaning.

L3 · Agent Frameworks✓ mapped

The agent framework orchestrates destructive git commands (history rewriting, force-pushing). Vulnerabilities in the orchestration code or tool-calling mechanism could allow an attacker to inject arbitrary git commands, leading to unauthorized repository modification or deletion.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — the execution environment (sandbox, local runner, or cloud container) is not specified. Because the agent executes mutating shell/git commands, a lack of strict containerization could allow container escape or host compromise.

L5 · Evaluation & Observability✓ mapped

The agent features built-in safety checks, including pre-push visibility and backup verification. However, if the logging or observability stack is compromised, an attacker could bypass these checks or hide malicious history-rewriting activities.

L6 · Security & Compliance (cross-cutting)✓ mapped

This agent requires high-privilege write and force-push permissions to target repositories. Compromise of the agent's identity or credentials represents a critical risk, as it holds the keys to modify or destroy repository history.

L7 · Agent Ecosystem✓ mapped

As a 'Community Agent Skill', this tool may be integrated into larger multi-agent workflows or developer environments. Malicious updates to this community skill could introduce supply-chain vulnerabilities, compromising any repository it is granted access to.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).