AgentReadyHomeAgent Listing

← bolt.diy

bolt.diy — agentic threat model

9.4AIVSS 9.4 · Critical

bolt.diy presents a high-risk profile due to its ability to execute LLM-generated commands directly in an integrated terminal, creating a direct path to remote code execution (RCE) if prompt injection occurs. Its open-source, self-hosted nature shifts the entire security burden onto the user's local or containerized environment.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.59Factor sum 4.9/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.80
Self-Modification
0.20
Dynamic Tool Use
0.90
Persistent Memory
0.30
Contextual Awareness
0.60
Dynamic Identity
0.10
Multi-Agent Interactions
0.00
Non-Determinism
0.80
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Supports a wide variety of external foundation models (OpenAI, Anthropic, Ollama, Gemini, etc.). The primary threats are adversarial prompt injection and jailbreaking, which can manipulate the model into generating malicious code or executing destructive terminal commands.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No explicit RAG or vector database is mentioned, but the agent processes local project files and user-uploaded images, presenting risks of local data exposure or processing malicious files.

L3 · Agent Frameworks✓ mapped

The orchestration framework translates user prompts into multi-step file creation and terminal command execution. The primary threat is insecure tool integration, specifically the terminal execution tool running arbitrary, unvalidated shell commands generated by the LLM.

L4 · Deployment & Infrastructure✓ mapped

Runs locally or via Docker. If the Docker container is not properly sandboxed, a compromised agent executing malicious commands in the integrated terminal could lead to container escape and host system compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No explicit evaluation, guardrails, or observability frameworks are mentioned beyond the integrated terminal for viewing command outputs.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No built-in authentication, authorization, or compliance controls are mentioned; security relies entirely on the user's local deployment environment.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — The agent operates as a standalone local development tool with no explicit multi-agent coordination or marketplace ecosystem described.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).