AgentReadyHomeAgent Listing

← OpenCode

OpenCode — agentic threat model

9.9AIVSS 9.9 · Critical

OpenCode presents a high agentic risk profile due to its deep integration with local terminal environments, file systems, and CI/CD pipelines (GitHub Actions). The potential for indirect prompt injection via public GitHub issues or PRs to execute arbitrary code in runner environments represents a critical supply chain threat.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.13Factor sum 5.8/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.80
Self-Modification
0.20
Dynamic Tool Use
0.90
Persistent Memory
0.30
Contextual Awareness
0.80
Dynamic Identity
0.60
Multi-Agent Interactions
0.10
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Connects to multiple external model providers or uses free local models. Vulnerable to adversarial prompt injection, model reprogramming, and misaligned code generation outputs that could introduce security vulnerabilities into the codebase.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — the exact mechanism for indexing, vectorizing, or caching codebase data is not specified, though it reads and writes local files. Gaps in data lineage or insecure local storage of codebase embeddings could lead to local data exfiltration.

L3 · Agent Frameworks✓ mapped

Orchestrates multi-file edits, refactoring, and terminal commands. High risk of tool misuse or insecure tool integration, where malicious instructions (e.g., via a compromised codebase or prompt injection) could trigger destructive terminal commands or unauthorized file modifications.

L4 · Deployment & Infrastructure✓ mapped

Deploys as a desktop app, IDE extension, or inside GitHub Actions runners. Compromise of the agent can lead to local host compromise, privilege escalation on the developer's machine, or lateral movement/secrets theft within the CI/CD runner environment.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in guardrails, evaluation frameworks, or observability logging to monitor agent actions, detect anomalous commands, or prevent unauthorized file system changes.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — as an open-source tool, it lacks explicit enterprise compliance certifications (e.g., SOC2) or built-in policy enforcement mechanisms to restrict actions based on user roles or repository sensitivity.

L7 · Agent Ecosystem✓ mapped

Integrates with the GitHub ecosystem (issues and PRs). This introduces a severe risk of indirect prompt injection, where an untrusted external user could comment on a public issue/PR to trigger the agent inside a GitHub Actions runner and execute malicious code.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).