Roo Code — agentic threat model
Roo Code presents a high-risk profile due to its autonomous execution capabilities, direct integration with the user's terminal and development environment, and lack of built-in sandboxing, which could allow malicious code execution or host compromise via prompt injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.50 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.70 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Roo Code is model-agnostic and runs on top of external LLMs. It is highly susceptible to indirect prompt injection through malicious codebases or files it reads, leading to unauthorized command execution.
Not certain from the listing — The agent reads local codebase files and maintains a task memory system. The primary threat is data exfiltration of sensitive source code or hardcoded secrets if the agent is manipulated by adversarial inputs.
The framework orchestrates a cyclic planning, editing, running, and debugging loop. Insecure tool integration is a critical threat here, as the agent can be coerced into executing destructive terminal commands or writing malicious code during its autonomous loops.
Not certain from the listing — Roo Code runs locally within the developer's environment. Without explicit containerization or sandboxing (which are not detailed in the listing), a compromise of the agent directly escalates to full host system compromise.
Not certain from the listing — There is no mention of real-time guardrails, safety monitoring, or logging of executed commands to prevent malicious actions before they hit the terminal.
Not certain from the listing — As an open-source developer tool, it lacks enterprise-grade access controls, policy enforcement, or compliance auditing out-of-the-box, relying entirely on the host user's permissions.
Not certain from the listing — The agent operates primarily as a single-user developer assistant and does not explicitly detail multi-agent coordination or marketplace interactions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).