JetBrains IDE — agentic threat model
The JetBrains IDE MCP proxy presents an extremely high-risk profile due to its ability to execute arbitrary code and modify local project files without sandboxing, effectively turning any client-agent compromise into a full local host compromise.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The proxy itself does not bundle a foundation model; it connects an external LLM/agent to the JetBrains IDE. Threats depend on the client model used.
The proxy has full access to the local project workspace (source code, configuration, potentially local secrets/env files). Threats include data exfiltration of proprietary code and workspace poisoning.
Integrates via Model Context Protocol (MCP). Vulnerable to tool misuse (e.g., executing malicious shell commands, deleting files) and insecure tool integration if the client agent is manipulated.
Runs locally as a proxy process with the privileges of the local developer. Lacks sandboxing by default, presenting a massive local-execution attack surface and potential for host compromise.
Not certain from the listing — No built-in logging, guardrails, or evaluation mechanisms are described for monitoring malicious tool calls or code execution.
Lacks explicit authorization controls or fine-grained permission policies in the description; it inherits the local user's permissions, posing compliance risks (e.g., IP protection).
Acts as an MCP tool provider. Vulnerable to rogue or compromised client agents abusing the toolset to execute arbitrary code or exfiltrate local project data.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).