AgentReadyHomeAgent Listing

← Orchestrate (Cursor plugin)

Orchestrate (Cursor plugin) — agentic threat model

9.6AIVSS 9.6 · Critical

Orchestrate presents a high-risk profile due to its multi-agent parallel execution model with read/write access to local codebases. The lack of explicit sandboxing or human-in-the-loop verification gates for generated code increases the potential for automated, cascading security compromises.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 1.1Factor sum 7.0/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.90
Self-Modification
0.40
Dynamic Tool Use
0.80
Persistent Memory
0.50
Contextual Awareness
0.80
Dynamic Identity
0.30
Multi-Agent Interactions
1.00
Non-Determinism
0.80
Opacity & Reflexivity
0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on Cursor's underlying models (e.g., GPT-4, Claude). Threats include prompt injection hijacking the planner or verifier roles to generate malicious code.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — reads and writes the local codebase. Threats include codebase exfiltration, poisoning of context via malicious files in the repository, and lack of data lineage for generated artifacts.

L3 · Agent Frameworks✓ mapped

The framework uses a custom planner/worker/verifier orchestration. Threats include insecure handoffs, state manipulation between sub-agents, and logic bypass where a worker bypasses the verifier to execute unauthorized commands.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — runs as a Cursor plugin spawning cloud agents. Threats include insecure communication channels between the local Cursor instance and cloud agents, and lack of sandboxing for executed code on the host machine.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — while the verifier role provides functional evaluation, security observability, audit logging of agent actions, and guardrails against malicious code generation are unspecified.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — no mention of compliance, authorization boundaries, or user-approval gates before writing to the codebase or executing commands.

L7 · Agent Ecosystem✓ mapped

Highly vulnerable to agent-to-agent trust abuse. A compromised worker agent could exploit weaknesses in the verifier agent's evaluation logic to inject backdoors into the codebase, leading to cascading multi-agent failures.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).