AgentReadyHomeAgent Listing

← Thermos

Thermos — agentic threat model

9.2AIVSS 9.2 · Critical

Thermos presents a high agentic risk due to its ability to read proprietary codebases, orchestrate parallel subagents, and write back to repositories via PR creation, making it a prime target for source code exfiltration and supply chain injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.2AARS uplift 0.95Factor sum 5.3/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.60
Self-Modification
0.10
Dynamic Tool Use
0.70
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.50
Multi-Agent Interactions
0.80
Non-Determinism
0.50
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation models used by this Cursor plugin are not disclosed. Threats include prompt injection via malicious code comments in audited branches, which could manipulate the audit results or hijack subagent orchestration.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The data operations layer is not detailed, but the agent clones and reads local/remote code branches. Threats include data exfiltration of proprietary source code during the audit process.

L3 · Agent Frameworks✓ mapped

The agent framework orchestrates parallel subagents and uses tools to clone repositories and create PRs. Threats include tool misuse, such as unauthorized PR creation or injecting malicious code into a branch under the guise of a 'fix'.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — As a Cursor plugin, it likely runs locally on the developer's machine or within Cursor's cloud environment. Threats include local privilege escalation, host compromise if subagents execute arbitrary code, and exposure of local Git credentials.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No observability or evaluation guardrails are mentioned. Gaps in logging could allow malicious subagent actions or unauthorized PR creations to go undetected.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — There is no mention of access control policies, compliance frameworks, or authorization checks before creating merge-ready PRs.

L7 · Agent Ecosystem✓ mapped

The agent relies heavily on parallel subagent orchestration. Threats include agent-to-agent trust abuse, where a compromised subagent feeds malicious audit data back to the parent agent, leading to cascading failures or compromised code generation.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).