gopls-lsp — agentic threat model
The gopls-lsp agent acts as a bridge between Claude and a local Go language server, presenting moderate-to-high risk due to its ability to execute diagnostics, navigation, and code refactoring directly on a user's local codebase.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on Anthropic's Claude models. Threats include prompt injection where malicious code comments or files in the workspace hijack the LLM's instructions during LSP parsing.
The agent operates directly on local Go source code files to provide diagnostics and navigation. There is a risk of data exfiltration if malicious code triggers the agent to read and leak sensitive local files or environment variables.
The framework integrates Claude with the gopls LSP server. Insecure tool integration is a primary threat, as refactoring commands or LSP requests could be manipulated to execute arbitrary code or modify local files in unintended ways.
The gopls server is launched via the plugin manifest. If run without strict sandboxing, a compromise of the LSP plugin allows direct host filesystem access, privilege escalation, and execution of arbitrary Go binaries or build tools.
Not certain from the listing — there is no mention of built-in logging, guardrails, or anomaly detection to monitor the LSP commands being executed or to detect malicious refactoring payloads.
Not certain from the listing — lacks explicit details on authorization boundaries, user confirmation prompts before applying refactoring changes, or compliance with secure coding standards.
The plugin operates within the Anthropic tool/plugin ecosystem. Vulnerabilities could arise if other active agents or plugins can chain calls into the gopls-lsp tool to read or modify the codebase without explicit user consent.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).