AgentReadyHomeAgent Listing

← appwrite

appwrite — agentic threat model

9.3AIVSS 9.3 · Critical

The Appwrite plugin for Claude Code presents a high-risk profile due to its ability to execute deployment commands and call backend APIs directly. Compromise could lead to unauthorized code execution, data exfiltration, or complete backend platform takeover.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.77Factor sum 4.9/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.60
Self-Modification
0.20
Dynamic Tool Use
0.80
Persistent Memory
0.30
Contextual Awareness
0.50
Dynamic Identity
0.60
Multi-Agent Interactions
0.30
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The underlying foundation model is Claude (via Claude Code), but specific model alignment, fine-tuning, or system-level prompt protections are not detailed in this plugin's directory listing.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — While the plugin interacts with Appwrite's backend databases and APIs, the listing does not specify any local vector stores, RAG pipelines, or data provenance controls managed directly by the plugin.

L3 · Agent Frameworks✓ mapped

The orchestration relies on Claude Code and MCP servers. The primary threat is tool misuse, where malicious or accidental prompts could trigger destructive Appwrite API calls or deploy vulnerable/malicious cloud functions.

L4 · Deployment & Infrastructure✓ mapped

The plugin executes deployment commands and interacts directly with the Appwrite backend platform. Compromise at this layer could allow an attacker to execute arbitrary code in the deployment pipeline or compromise the hosting environment.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, logging, or real-time monitoring of the MCP tool executions or API calls within the plugin itself.

L6 · Security & Compliance (cross-cutting)✓ mapped

The plugin handles sensitive Appwrite API keys and deployment credentials. Insecure storage of these secrets or lack of fine-grained IAM policies on the Appwrite side could lead to unauthorized privilege escalation.

L7 · Agent Ecosystem✓ mapped

As an MCP server, this plugin operates within the broader Claude Code ecosystem. It is vulnerable to cross-plugin trust abuse if another compromised or malicious MCP server is loaded into the same Claude Code session.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).