AgentReadyHomeAgent Listing

← trailofbits-codeql

trailofbits-codeql — agentic threat model

8.1AIVSS 8.1 · High

This agent presents a moderate-to-high risk profile due to its capability to execute CodeQL queries against target codebases, which could lead to arbitrary code execution or local file access if the query execution environment is not properly sandboxed.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 1.0Factor sum 3.8/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.40
Goal-Driven Planning
0.50
Self-Modification
0.10
Dynamic Tool Use
0.70
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.10
Multi-Agent Interactions
0.30
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on an underlying foundation model for CodeQL query generation. Primary threats include prompt injection leading to the generation of malicious or intentionally flawed queries that bypass security checks, or model reprogramming to hide vulnerabilities.

L2 · Data Operations✓ mapped

The agent interacts with target codebases and bundled reference materials. Threats include codebase poisoning where malicious code is structured to exploit the static analysis engine, or unauthorized exfiltration of proprietary source code via query results.

L3 · Agent Frameworks✓ mapped

The agent orchestrates CodeQL execution as its script surface. A major threat is insecure tool integration, where a crafted prompt or malicious codebase tricks the agent into executing arbitrary system commands or unauthorized CodeQL commands.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — the execution environment for CodeQL is critical. If the host environment lacks strict containerization or sandboxing, running CodeQL against untrusted codebases could lead to host compromise or lateral network movement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — requires robust logging of executed queries and generated outputs to detect evasion attempts or malicious query patterns. Lack of observability could allow silent bypasses of security scans.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — requires strict access controls to ensure only authorized users can run queries against sensitive codebases, and policy enforcement to prevent the tool from being used for unauthorized vulnerability research on external systems.

L7 · Agent Ecosystem✓ mapped

The agent is part of the building-secure-contracts/static-analysis plugin ecosystem. Threats include cascading failures if upstream orchestration agents pass untrusted inputs, or trust abuse where other agents blindly trust this agent's vulnerability reports.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).