Refact.ai — agentic threat model
Refact.ai presents a moderate-to-high risk profile primarily centered on intellectual property exposure and potential supply chain code injection, mitigated significantly by its self-hosted and on-premise deployment options.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Utilizes LLMs for code completion and refactoring, supporting model fine-tuning for enterprise clients. Threats include model poisoning during fine-tuning and adversarial prompt injection leading to malicious code generation.
Employs Retrieval-Augmented Generation (RAG) to ingest and understand entire codebases. This introduces risks of codebase data exfiltration, embedding inversion, and RAG poisoning if malicious code is introduced into the repository.
Integrates directly into IDEs (VS Code, JetBrains) to perform refactoring and code generation. Vulnerabilities in the plugin framework or insecure tool integration could allow unauthorized file system access or execution of generated code.
Supports self-hosting and on-premise deployment, which limits external network exposure but shifts the responsibility of secure hosting, container isolation, and credential management to the user.
Not certain from the listing — there is no explicit mention of built-in guardrails, output sanitization, or logging/observability frameworks to detect anomalous or malicious code suggestions before they are accepted by the developer.
Not certain from the listing — while 'data privacy' is highlighted via self-hosting, specific compliance certifications (e.g., SOC2, ISO 27001) or access control policies for enterprise fine-tuning are not detailed.
Not certain from the listing — the agent operates as a standalone developer assistant within the IDE and does not explicitly feature multi-agent collaboration or marketplace integrations.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.