AgentReadyHomeAgent Listing

← github

github — agentic threat model

8.3AIVSS 8.3 · High

This agent wraps the official GitHub MCP server, granting Claude Code full API access to create issues, manage pull requests, and search repositories. Its overall risk posture is high due to the potential for automated, unauthorized code modification or sensitive repository exfiltration if the underlying LLM is manipulated.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.77Factor sum 4.9/10Threat ×1.05Mitigation ×0.9
Autonomy of Action
0.70
Goal-Driven Planning
0.60
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.70
Dynamic Identity
0.60
Multi-Agent Interactions
0.30
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies entirely on the host model (Claude Code) for reasoning. The primary threat is prompt injection or adversarial inputs that trick the model into executing unintended GitHub API calls or writing malicious code.

L2 · Data Operations✓ mapped

The agent performs repository searches and code reviews, exposing codebase intellectual property and potentially hardcoded secrets to the model context. Data exfiltration via prompt injection is a significant risk.

L3 · Agent Frameworks✓ mapped

Exposes GitHub API-backed tools to Claude Code via the Model Context Protocol (MCP). Vulnerabilities include tool misuse, where the model is manipulated into deleting branches, closing issues, or pushing unauthorized commits.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — the infrastructure security depends on how Claude Code hosts and runs the MCP server. Key threats include insecure storage of GitHub personal access tokens or OAuth credentials on the host machine.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in guardrails, audit logging, or monitoring of the API calls made by the MCP server to detect anomalous or malicious behavior.

L6 · Security & Compliance (cross-cutting)✓ mapped

Relies on GitHub's native authentication and token-based authorization. Security posture is highly dependent on the principle of least privilege applied to the user's GitHub token (e.g., read-only vs. write/admin access).

L7 · Agent Ecosystem✓ mapped

Operates as a plugin within the Claude Code ecosystem. A compromised upstream agent or malicious prompt within a repository could exploit this agent to perform unauthorized actions on the user's behalf (A2A trust abuse).

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).