AgentReadyHomeAgent Listing

← Kilo Code

Kilo Code — agentic threat model

8.1AIVSS 8.1 · High

Kilo Code presents a high-risk profile due to its ability to execute terminal commands and automate browsers directly on the host machine, combined with an extensible MCP tool marketplace. While open-source transparency and user-approval gates mitigate some risk, a prompt injection attack could lead to full local host compromise.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.74Factor sum 6.2/10Threat ×1.0Mitigation ×0.85
Autonomy of Action
0.70
Goal-Driven Planning
0.80
Self-Modification
0.30
Dynamic Tool Use
0.90
Persistent Memory
0.40
Contextual Awareness
0.80
Dynamic Identity
0.50
Multi-Agent Interactions
0.60
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Connects to 400+ frontier and open models via OpenRouter and similar providers. This introduces exposure to model-specific vulnerabilities, adversarial prompt injections, and potential data leakage depending on the chosen model provider's privacy policy.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — operates directly on local codebases and workspace files, but details on local vector embeddings, RAG indexing, or secure data handling of sensitive code assets are not specified.

L3 · Agent Frameworks✓ mapped

Features dedicated modes (Architect, Coder, Debugger) and supports terminal and browser automation. The primary threat is tool misuse or hijacking, where malicious instructions in a codebase could trick the agent into executing destructive terminal commands.

L4 · Deployment & Infrastructure✓ mapped

Runs locally as a VS Code or JetBrains IDE extension. This deployment model means the agent operates with the user's local privileges, posing a severe risk of host compromise, local file exfiltration, or unauthorized network access if compromised.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — mentions user approval for browser automation, but lacks details on built-in guardrails, automated safety evaluations, or comprehensive logging of executed terminal commands.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — open-source nature allows transparent configuration and community auditing, but no enterprise compliance certifications (e.g., SOC2, ISO) or formal policy enforcement mechanisms are mentioned.

L7 · Agent Ecosystem✓ mapped

Supports an MCP-style server marketplace for extending the agent with custom tools. This introduces ecosystem risks, such as users installing malicious or poorly vetted third-party MCP servers that could compromise the IDE environment.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).