← offensive-osint (Claude-Red)
offensive-osint (Claude-Red) — agentic threat model
The offensive-osint agent possesses high agentic risk due to its ability to autonomously orchestrate powerful reconnaissance tools and query sensitive external APIs (Shodan, breach databases). Without built-in guardrails or sandboxing, a compromise or prompt injection could lead to unauthorized scanning, credential exposure, or SSRF.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely utilizes Anthropic's Claude models given the 'Claude-Red' name, which are susceptible to prompt injection, jailbreaking to bypass safety filters regarding offensive reconnaissance, and adversarial inputs designed to trigger malicious tool execution.
Processes highly sensitive external data including breach databases, GitHub leaks, and infrastructure maps. Risks include ingestion of poisoned OSINT data, malicious payloads embedded in target metadata (e.g., DNS records or Shodan banners) leading to injection, and lack of data provenance for harvested credentials.
Orchestrates complex multi-step reconnaissance workflows using external APIs (Shodan, Censys, geolocation, crypto tracing). High risk of tool misuse where an attacker manipulates the agent's planning to scan unauthorized targets or exfiltrate API keys via outbound queries.
Not certain from the listing — as an open-source 'Agent Skill', deployment depends on the user's environment. However, it requires storage of sensitive API keys (Shodan, Censys, etc.) and outbound network access to query external services, presenting risks of credential theft and SSRF if not sandboxed.
Not certain from the listing — no built-in logging, guardrails, or observability mechanisms are described. Without external monitoring, malicious or unauthorized reconnaissance activities (e.g., targeting restricted infrastructure) could go undetected.
Not certain from the listing — being an open-source skill, it lacks native compliance frameworks, access controls, or authorization policies. It relies entirely on the host application to enforce boundaries on what targets can be queried.
Not certain from the listing — described as a standalone 'reconnaissance skill' from Claude-Red, but could be integrated into larger multi-agent offensive security frameworks, introducing risks of cascading tool execution or unauthorized delegation of scanning tasks.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).