AgentReadyHomeAgent Listing

← remember (claude-remember)

remember (claude-remember) — agentic threat model

8.1AIVSS 8.1 · High

The 'remember' agent introduces significant privacy and prompt-injection risks by persisting and summarizing local Claude Code session logs across sessions. Its primary threat vector is memory poisoning, where malicious content in past conversations could be summarized and later executed or leaked during subsequent sessions.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 1.57Factor sum 4.5/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.40
Goal-Driven Planning
0.20
Self-Modification
0.50
Dynamic Tool Use
0.30
Persistent Memory
1.00
Contextual Awareness
0.70
Dynamic Identity
0.10
Multi-Agent Interactions
0.40
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Relies on Claude Code's underlying foundation models for summarization and compression. Threat: Indirect prompt injection where malicious inputs in past conversations are summarized into persistent memory, potentially hijacking future sessions.

L2 · Data Operations✓ mapped

Extracts, summarizes, and compresses local session logs into tiered daily logs. Threat: Local data exfiltration or unauthorized access to sensitive developer data stored in plaintext logs, and memory poisoning of the knowledge base.

L3 · Agent Frameworks✓ mapped

Orchestrates memory retrieval and storage via hooks. Threat: Insecure tool integration where the hooks reading/writing local session logs can be manipulated to read unauthorized files or inject malicious state into the agent framework.

L4 · Deployment & Infrastructure✓ mapped

Runs locally as a plugin for Claude Code. Threat: Local file system compromise or privilege escalation if the host environment running Claude Code is not properly sandboxed.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of evaluation, guardrails, or observability tools to monitor the integrity of the summarized logs or detect anomalous memory injections.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — as a free, open-source plugin, it lacks explicit compliance frameworks, access control policies, or audit logging mechanisms, though it explicitly notes the privacy-relevant nature of local persistence.

L7 · Agent Ecosystem✓ mapped

Acts as an extension/plugin interacting directly with Claude Code. Threat: Cascading failures where a compromise of the memory plugin leads to the compromise of the primary Claude Code agent, allowing unauthorized local actions.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).