Harness AI Code Agent — agentic threat model
The Harness AI Code Agent poses a high-impact risk due to its deep integration with local codebases and VCS (PR generation), making it a prime target for source code exfiltration or malicious code injection if compromised, though its operational autonomy is constrained by developer oversight.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Uses GPT-4 and Gemini Flash. Vulnerable to prompt injection, adversarial bypass of safety filters, and model reprogramming to generate insecure or malicious code snippets.
Indexes the full codebase for semantic search and contextual chat. This creates a high risk of proprietary data exfiltration if the vector store or local cache is compromised, as well as potential codebase poisoning.
Orchestrates code generation, refactoring, test generation, and pull-request creation. Vulnerabilities in the extension's orchestration framework could allow unauthorized file writes or execution of malicious commands via IDE integrations.
Deploys as an IDE extension (VS Code & JetBrains). If the local environment lacks sandboxing, a compromised extension could escalate privileges, access local environment variables, or move laterally within the developer's network.
Not certain from the listing — No explicit mention of real-time evaluation frameworks, output guardrails, or observability logging to detect drift or malicious code generation before it is committed.
Not certain from the listing — While Harness is an enterprise platform, the listing does not detail specific compliance certifications (e.g., SOC2), access controls, or audit logging mechanisms for this IDE extension.
Not certain from the listing — No multi-agent collaboration or marketplace interactions are described; it operates primarily as a single-agent IDE assistant.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).