AgentReadyHomeAgent Listing

← agent-development

agent-development — agentic threat model

6.4AIVSS 6.4 · Medium

This agent-development skill presents low direct runtime risk as a local development guide, but introduces potential supply-chain and execution risks via its local bash-based linting script and the generation of system prompts that govern other agents.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.5AARS uplift 1.22Factor sum 2.7/10Threat ×1.0Mitigation ×0.95
Autonomy of Action
0.20
Goal-Driven Planning
0.30
Self-Modification
0.10
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.10
Multi-Agent Interactions
0.50
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on the underlying Claude Code model execution environment. The primary threat is prompt injection during the generation of system prompts or frontmatter, which could lead to downstream agent hijacking.

L2 · Data Operations✓ mapped

Operates on local agent definition files, reference documents, and schema templates. Risks include local file path traversal or reading malicious agent definitions designed to exploit the parser.

L3 · Agent Frameworks✓ mapped

The skill orchestrates the validation of other agents. Vulnerabilities could exist in how the framework parses agent frontmatter, tool allowlists, and triggering conditions, potentially leading to logic bypasses.

L4 · Deployment & Infrastructure✓ mapped

Includes a 'validate-agent.sh' script executed via bash. This introduces a direct command execution vector if the script does not safely sanitize inputs or if the local environment lacks proper sandboxing.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no explicit mention of runtime observability, logging, or guardrails for the validation script other than basic linting outputs.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — compliance and access controls depend entirely on the host system running Claude Code. No built-in authentication or policy enforcement is described.

L7 · Agent Ecosystem✓ mapped

Directly influences the agent ecosystem by defining subagent behaviors, triggering conditions, and tool allowlists. A compromise here could result in the creation of malicious subagents that abuse agent-to-agent trust.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).