AgentReadyHomeAgent Listing

← greptile

greptile — agentic threat model

8.2AIVSS 8.2 · High

Greptile presents a high-risk profile primarily centered on data confidentiality, as it indexes and exposes entire proprietary codebases to natural-language querying via MCP, making it a prime target for indirect prompt injection and intellectual property exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.65Factor sum 2.6/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.30
Contextual Awareness
0.70
Dynamic Identity
0.00
Multi-Agent Interactions
0.20
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Greptile likely relies on external LLMs (like Claude) for natural language processing, which are susceptible to indirect prompt injection (e.g., malicious instructions embedded in codebase comments) and output manipulation.

L2 · Data Operations✓ mapped

Greptile indexes entire codebases to perform RAG. This exposes the system to data exfiltration of proprietary source code, embedding inversion, and index poisoning if malicious code or documentation is ingested.

L3 · Agent Frameworks✓ mapped

The agent uses the Model Context Protocol (MCP) to expose codebase search tools to Claude. Vulnerabilities include tool misuse where an LLM is manipulated into executing overly broad search queries to exfiltrate large volumes of code.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The infrastructure involves an MCP server communicating with Greptile's indexing service. Threats include the exposure of repository access tokens (e.g., GitHub PATs) and potential container compromise during repository ingestion/parsing.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of query monitoring, logging, or guardrails to detect when sensitive files (like configuration files containing secrets) are being targeted by anomalous queries.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Robust authorization controls are required to ensure that the user querying Claude has the appropriate permissions to view the specific repositories indexed by Greptile, preventing privilege escalation.

L7 · Agent Ecosystem✓ mapped

As an MCP-backed plugin, Greptile operates within Claude's broader agent ecosystem. A compromised orchestrator agent or a malicious co-agent could abuse the Greptile tool to silently map out codebase vulnerabilities or exfiltrate intellectual property.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).