PiloTY — agentic threat model
PiloTY presents an exceptionally high-risk agentic profile by granting LLMs direct, stateful, and interactive terminal control (PTY) and SSH capabilities, allowing arbitrary command execution on remote hosts.
OWASP AIVSS score rationale
| Autonomy of Action | 0.90 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 1.00 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.90 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.80 | |
| Opacity & Reflexivity | 0.70 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — PiloTY is an MCP tool/framework rather than a model itself. However, the underlying LLM is highly vulnerable to indirect prompt injection via terminal outputs or SSH banners, which could hijack the active shell session.
Not certain from the listing — No explicit RAG or vector database is described. The primary data risk is the exfiltration of sensitive terminal outputs, configuration files, or environment variables read during SSH/PTY sessions.
The agent framework layer is highly critical here; PiloTY provides stateful PTY and SSH tool integrations. Insecure tool integration or lack of strict input sanitization allows an LLM to execute arbitrary, destructive shell commands or run unauthorized background processes.
Extremely high risk. PiloTY manages SSH connections and interactive terminals. Without strict containerization, network segmentation, and non-root execution, a compromised session allows immediate lateral movement, host compromise, and access to production infrastructure.
Not certain from the listing — There is no mention of built-in logging, session recording, or command guardrails. The lack of real-time monitoring for executed terminal commands represents a major observability blind spot.
The tool handles high-privilege SSH credentials and session states. The listing does not mention any built-in authentication, authorization policies, or access controls to restrict which commands the agent can execute or which hosts it can connect to.
As an MCP tool, PiloTY can be exposed to other agents. If a upstream orchestrator agent is compromised, it can abuse PiloTY's terminal access to execute cascading attacks across all connected remote hosts.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).