Capy — agentic threat model
Capy presents a high-risk profile as an autonomous coding agent with the capability to write, test, and ship code. Without explicit sandboxing or human-in-the-loop guardrails, a compromise could lead to severe repository-wide supply chain attacks.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying LLM is not specified, leaving it vulnerable to standard prompt injection, model reprogramming, or adversarial inputs that could alter code generation.
Not certain from the listing — The agent must ingest codebase repositories and issue trackers, exposing it to data poisoning or sensitive data exfiltration if malicious code or issues are ingested.
Not certain from the listing — The orchestration framework for planning and tool calling (e.g., git, bash, compilers) is unspecified, risking insecure tool execution or command injection via malicious issue descriptions.
Not certain from the listing — The execution environment (sandboxing for running/testing code) is not detailed, posing a severe risk of host compromise or lateral movement if untrusted code is executed.
Not certain from the listing — No details are provided regarding guardrails, output sanitization, or monitoring of the generated code before it is committed or shipped.
Not certain from the listing — There is no mention of access control, commit signing, or compliance frameworks governing the agent's write access to repositories.
Not certain from the listing — While it ships features in parallel, it is unclear if it coordinates with other specialized agents, risking cascading failures or unauthorized multi-agent trust escalation.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).