AgentReadyHomeAgent Listing

← wshobson/commands

wshobson/commands — agentic threat model

9.4AIVSS 9.4 · Critical

This agentic command collection significantly expands the attack surface of Claude Code by introducing 57 custom workflow and tool commands, including multi-agent orchestration patterns. The primary risk stems from the execution of complex, multi-step local system commands and subagent dispatching without explicit sandboxing or verification mentioned in the listing.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.92Factor sum 5.6/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.30
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.40
Multi-Agent Interactions
0.80
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The commands run on top of Claude Code (presumably Claude 3.5 Sonnet). The primary L1 threat is prompt injection within the slash commands that could hijack the underlying model's instructions to execute malicious local system operations.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The listing does not mention dedicated vector databases or RAG pipelines, but the tool commands likely read, parse, and process local codebase files, exposing them to data exfiltration or manipulation if malicious inputs are processed.

L3 · Agent Frameworks✓ mapped

The framework layer is highly active, providing 15 workflow and 42 tool commands that extend Claude Code. Threats include tool misuse, command injection via structured instructions, and insecure integration of specialized utilities that execute directly on the developer's machine.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — These commands run locally within the user's Claude Code CLI environment. If the host environment lacks strict containerization or sandboxing, executing these commands poses a direct threat of local privilege escalation and host compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of logging, guardrails, or execution monitoring for these 57 commands, creating a significant blind spot when multi-step workflows or subagents are dispatched.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No security controls, authentication mechanisms, or policy enforcement engines are described for restricting which commands can be run or what system resources they can access.

L7 · Agent Ecosystem✓ mapped

Highly relevant as the commands explicitly enable multi-agent orchestration patterns and dispatch subagents. This introduces risks of agent-to-agent trust abuse, cascading failures across orchestrated subagents, and vulnerability to compromised plugins from the wider marketplace.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).