Minima (Local RAG) — agentic threat model
Minima presents a low-to-moderate risk profile due to its local-only, privacy-preserving architecture, which eliminates cloud-based data exfiltration vectors. However, its security posture heavily relies on the proper scoping of its local directory indexing to prevent unauthorized access to sensitive local files by connected agents.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.10 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The specific embedding and LLM models used for local RAG are not detailed, leaving potential vulnerabilities to model-specific adversarial inputs or local data poisoning unassessed.
Minima indexes local files to build its RAG context. The primary threat is local data poisoning (e.g., placing malicious files in the indexed directory) and embedding inversion, which could expose sensitive local data if the vector store is accessed by unauthorized local processes.
As an MCP server, Minima integrates directly into agent frameworks. Vulnerabilities lie in how the host agent handles the retrieved context, including potential prompt injection vulnerabilities if the retrieved local text contains malicious instructions.
Minima runs locally on-device. The risk is tied to the host environment's security; if the process runs with elevated privileges, a directory traversal vulnerability in the indexing tool could allow access to restricted system files.
Not certain from the listing — There is no mention of built-in logging, evaluation metrics, or guardrails to monitor what data is being indexed or retrieved by the MCP server.
The primary security control is directory scoping (limiting the indexer to specific folders). However, there are no explicit authentication or authorization mechanisms mentioned to restrict which local agents or users can query the MCP server.
Minima is designed to serve context to other agents in an ecosystem. A compromised or rogue agent in the same environment could abuse this trust relationship to query Minima and exfiltrate sensitive local files.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).