repohunt — agentic threat model
repohunt acts as an information-gathering bridge between AI agents and the live GitHub Search API, presenting a moderate risk profile primarily driven by untrusted data ingestion (READMEs/metadata) and the handling of a GITHUB_TOKEN.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — repohunt is described as an MCP tool/agent that expands intent into queries, but the specific underlying foundation model is not defined. The primary L1 threat is indirect prompt injection via untrusted README excerpts and metadata returned from the live GitHub Search API, which could reprogram the consuming LLM.
The agent performs real-time data retrieval from the GitHub Search API rather than maintaining a vector store. The primary threat is data poisoning of the context window, as malicious actors can craft GitHub repository metadata or READMEs specifically designed to inject malicious payloads or bias search results when ingested by the agent.
The framework orchestrates intent-to-multi-query expansion and deduplication. Vulnerabilities include insecure tool integration if the query expansion logic can be manipulated to execute arbitrary API calls, or if the deduplication/ranking logic is bypassed to prioritize malicious repositories.
The agent requires a GITHUB_TOKEN to interact with the GitHub API. If the deployment environment is compromised, this token could be exfiltrated. There is no mention of sandboxing or secure containerization for the execution of the MCP server.
Not certain from the listing — there are no details regarding logging, guardrails, or anomaly detection for the queries generated or the content ingested. This creates a blind spot where malicious injection attempts via READMEs may go unnoticed.
The agent relies on a GITHUB_TOKEN for authentication. There is no evidence of fine-grained authorization, rate-limiting, or compliance auditing of the queries executed or the data returned to prevent abuse or token exhaustion.
Designed specifically as an MCP tool for other AI agents, creating a direct vector for cascading failures. A compromised or manipulated search result returned by repohunt can propagate untrusted data or malicious instructions to downstream orchestrator agents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).