AgentReadyHomeAgent Listing

← Bolt

Bolt — agentic threat model

7.0AIVSS 7.0 · High

Bolt.new presents a high-utility, high-risk profile; while its execution is sandboxed within browser-based WebContainers, its ability to autonomously install packages, execute backend code, and deploy applications makes it highly susceptible to prompt injection and supply chain attacks.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.85Factor sum 5.4/10Threat ×1.05Mitigation ×0.75
Autonomy of Action
0.80
Goal-Driven Planning
0.80
Self-Modification
0.20
Dynamic Tool Use
0.90
Persistent Memory
0.40
Contextual Awareness
0.70
Dynamic Identity
0.30
Multi-Agent Interactions
0.10
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific LLMs powering Bolt.new are not detailed. Threats include prompt injection leading to malicious code generation, bypass of safety guardrails, and model reprogramming to exfiltrate workspace data.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The data pipeline for codebase indexing and context management is not specified. Threats include the exposure of sensitive environment variables, API keys, or proprietary code stored within the active workspace.

L3 · Agent Frameworks✓ mapped

Bolt acts as an orchestrator translating user goals into file edits, package installations, and shell executions. Threats include tool misuse, where prompt injection tricks the agent into executing unintended shell commands or installing malicious npm packages.

L4 · Deployment & Infrastructure✓ mapped

Bolt leverages StackBlitz WebContainers to run a full-stack environment directly in the browser sandbox. While WebContainers mitigate host-level compromise, threats include in-browser resource exhaustion, XSS within the application preview, and unauthorized deployment of backdoored apps to production hosting providers.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of real-time guardrails, LLM output monitoring, or safety evaluations for generated code. Gaps here could allow the agent to generate and execute vulnerable or malicious code without detection.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Compliance certifications (like SOC2) or enterprise identity/access management policies are not specified. Access control relies on the user's browser session and connected deployment accounts.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — No multi-agent orchestration or marketplace interactions are described. The primary risk is limited to the single-agent interaction with external package registries (npm) and deployment platforms.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).