AgentReadyHomeAgent Listing

← Cline

Cline — agentic threat model

7.9AIVSS 7.9 · High

Cline presents a high agentic risk profile due to its ability to execute arbitrary terminal commands and modify local files directly within the developer's IDE. While local execution limits external exposure, a prompt injection or malicious MCP server could lead to full host compromise.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 9.8AARS uplift 0.13Factor sum 5.9/10Threat ×1.1Mitigation ×0.8
Autonomy of Action
0.70
Goal-Driven Planning
0.80
Self-Modification
0.30
Dynamic Tool Use
0.90
Persistent Memory
0.40
Contextual Awareness
0.80
Dynamic Identity
0.20
Multi-Agent Interactions
0.50
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Cline is model-agnostic and connects to external LLM providers via APIs. This introduces risks of prompt injection, where malicious instructions in a codebase could hijack the model's behavior during file reading.

L2 · Data Operations✓ mapped

Cline operates directly on the local workspace and codebase. The primary threat is data exfiltration of proprietary source code or sensitive configuration files if the agent is compromised via prompt injection.

L3 · Agent Frameworks✓ mapped

Features a dual Plan/Act framework with tool-calling capabilities (file editing, terminal execution, MCP). Insecure tool integration or lack of strict input validation on terminal commands represents a critical vulnerability.

L4 · Deployment & Infrastructure✓ mapped

Runs locally as a VS Code extension. It inherits the user's local system privileges, meaning any command execution occurs directly on the host machine, risking host compromise and lateral network movement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — While the user can observe actions in the VS Code UI, there is no mention of automated guardrails, policy enforcement, or centralized security logging to detect anomalous agent behavior.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — As an open-source local extension, it lacks centralized enterprise compliance controls, identity management, or audit trails, relying entirely on the developer's local security posture.

L7 · Agent Ecosystem✓ mapped

Utilizes the Model Context Protocol (MCP) to extend capabilities. This introduces ecosystem risks where a compromised or malicious third-party MCP server could execute unauthorized actions or inject malicious payloads.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).