Blinky: AI Debugging Agent — agentic threat model
Blinky (GPT Runner) operates locally within developer environments (IDEs/CLI) with direct access to local codebases and configuration files. Its primary risk stems from potential prompt injection or malicious preset files (.gpt.md) leading to unauthorized local file access or arbitrary code execution on the developer's workstation.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing mentions 'LLM integration' but does not specify which foundation models are used (e.g., OpenAI, Anthropic, or local models). Threats include prompt injection leading to malicious code generation or exfiltration of local code.
The agent operates directly on local project files selected by the developer and manages presets via `.gpt.md` files. Threats include reading sensitive local files (secrets, private keys) if the agent is manipulated via prompt injection, or poisoning of `.gpt.md` preset files.
Not certain from the listing — The orchestration framework (e.g., LangChain, custom) is not specified. Threats include insecure tool integration if the CLI or IDE extension executes arbitrary code or commands based on LLM outputs.
Deployed locally as a VSCode/JetBrains extension or CLI tool. This means it runs within the developer's local workstation environment, posing a high risk of local privilege escalation, local file system access, and exposure of local environment variables/secrets.
Not certain from the listing — No built-in evaluation, guardrails, or monitoring tools are mentioned. Gaps in logging could allow malicious prompt injections or unauthorized file reads to go unnoticed.
Not certain from the listing — No explicit security compliance, authentication, or authorization controls are detailed. It likely inherits the permissions of the local IDE/user.
Not certain from the listing — There is no mention of multi-agent interactions or marketplace integrations, though sharing `.gpt.md` presets among team members introduces a minor collaborative risk of sharing malicious presets.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).