aikido — agentic threat model
Aikido operates as an MCP server plugin within Claude Code, presenting a moderate-to-high risk profile due to its direct access to local source code, secrets, and infrastructure configurations during SAST/IaC scanning.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.60 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is Claude (via Claude Code). Threats include prompt injection attacks that could trick the model into ignoring or misclassifying critical vulnerabilities during scans.
The agent directly accesses and processes sensitive local data assets including source code, IaC files, and potential secrets. Threats include unauthorized exfiltration of these sensitive assets if the MCP server is compromised.
Orchestrated via the Aikido MCP (Model Context Protocol) server. Threats include tool misuse where malicious actors exploit the MCP interface to execute unauthorized local commands or access restricted files.
Not certain from the listing — The MCP server runs locally in the developer's environment. Threats include local privilege escalation, unauthorized local port exposure, and lack of sandboxing between the scanner and the host system.
Not certain from the listing — Monitoring is focused on scan findings. Threats include blind spots where the agent fails to log its own internal execution errors or malicious tampering with scan results.
Not certain from the listing — While the tool itself is used for security compliance (SAST/IaC), there is no explicit mention of built-in access controls, audit logging, or transport security for the MCP communication channel.
Designed specifically to integrate with Claude Code via the MCP ecosystem. Threats include cascading failures or trust abuse if Claude Code is compromised, allowing a rogue agent to manipulate the Aikido scanner.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).