← Windsurf (VS Code extension, formerly Codeium)
Windsurf (VS Code extension, formerly Codeium) — agentic threat model
Windsurf introduces significant agentic risk by combining local code execution capabilities with a one-click MCP marketplace, allowing the Cascade agent to execute powerful tools directly on the developer's local machine.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.60 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on external LLMs (such as Codeium's proprietary models or Claude/GPT-4o) to power Cascade. Threats include prompt injection bypassing system instructions to execute unauthorized local tools.
Operates directly on local codebases, configuration files, and workspace context. High risk of data exfiltration if a compromised MCP server or malicious prompt injection forces the agent to read and transmit sensitive local files.
Cascade orchestrates planning, tool calling, and MCP server integration. The framework supports up to 100 active tools, creating a massive attack surface for insecure tool integration, tool parameter tampering, and indirect prompt injection via codebase files.
Runs locally as a VS Code extension. MCP servers run on the developer's host machine, meaning a compromised tool or malicious MCP server has direct local execution privileges, risking host compromise and lateral movement.
Not certain from the listing — likely relies on standard VS Code extension logging and user-facing chat history. Lacks explicit mention of real-time guardrails or automated anomaly detection for malicious tool execution.
Requires manual configuration of mcp_config.json for custom servers, placing the security burden of credential management and tool authorization entirely on the individual developer.
Features a built-in one-click MCP marketplace. This introduces supply-chain risks where users may install malicious, unverified, or compromised third-party MCP servers that gain immediate access to the local environment.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).