pstack — agentic threat model
pstack is a high-risk agentic developer tool that operates directly on local codebases with multi-step planning capabilities, presenting significant supply chain and local code execution risks if compromised.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.90 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Likely relies on Cursor's upstream LLMs (e.g., GPT-4, Claude). Threats include prompt injection forcing the model to generate backdoored code or bypass quality guardrails.
Not certain from the listing — Operates on the local codebase as its primary data source. Threats include codebase poisoning, where malicious files in the repository manipulate the agent's context and output.
Orchestrates multi-step workflows and parallel task decomposition to edit code. Threats include insecure tool integration where the file-writing and editing capabilities are hijacked to modify sensitive system files.
Runs locally within the user's Cursor IDE environment. Threats include local privilege escalation, access to local environment variables/secrets, and lack of sandboxing from the host operating system.
Employs 'quality-over-speed guardrails' to govern code generation. Threats include guardrail bypass via complex or adversarial codebase contexts that trick the evaluation logic.
Not certain from the listing — Being a free, open-source, community-authored plugin, it lacks visible enterprise security compliance, formal access controls, or audit logging.
Distributed via the Cursor plugins marketplace. Threats include marketplace supply chain attacks, such as malicious updates to the plugin or typosquatting of community-authored extensions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).