AgentReadyHomeAgent Listing

← software-engineering

software-engineering — agentic threat model

9.4AIVSS 9.4 · Critical

The software-engineering plugin introduces significant agentic risk by combining local codebase access and debugging capabilities with sensitive payment integrations (Stripe/PayPal) and an external MCP server. This multi-agent setup increases the potential impact of prompt injection, which could lead to unauthorized financial transactions or local code execution.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.93Factor sum 5.9/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.80
Self-Modification
0.20
Dynamic Tool Use
0.80
Persistent Memory
0.30
Contextual Awareness
0.80
Dynamic Identity
0.20
Multi-Agent Interactions
0.90
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Runs on top of Claude (via Claude Code). Highly vulnerable to indirect prompt injection via malicious code comments, untrusted repositories, or poisoned documentation files being reviewed, which could reprogram the subagents.

L2 · Data Operations✓ mapped

Uses the bundled context7 MCP server for live documentation lookup. Threats include data exfiltration of the local codebase via outbound MCP requests and knowledge-base poisoning if the external documentation sources are compromised.

L3 · Agent Frameworks✓ mapped

Orchestrates multiple subagents (debugging, license compliance, payments). Insecure tool integration is a major threat here, particularly if the payment subagent (Stripe/PayPal) can be tricked by the debugging or frontend subagents into executing unauthorized API calls.

L4 · Deployment & Infrastructure✓ mapped

Deploys locally within the developer's Claude Code CLI environment. Threats include local privilege escalation, arbitrary code execution during debugging tasks, and exposure of local network ports by the context7 MCP server.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — standard Claude Code logging likely applies, but there is no mention of plugin-specific guardrails, anomaly detection, or evaluation frameworks to monitor subagent interactions or payment execution safety.

L6 · Security & Compliance (cross-cutting)✓ mapped

Features a built-in license-compliance checker (AGPL/MIT/Apache). However, the plugin lacks explicit authorization policies or access controls to restrict when and how the payment integration tools can be invoked.

L7 · Agent Ecosystem✓ mapped

Employs a multi-agent ecosystem (subagents for frontend, payments, architecture, and debugging). This creates a risk of cascading failures and agent-to-agent trust abuse, where a compromised frontend agent could manipulate the payment agent.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).