AgentReadyHomeAgent Listing

← codebase-graph

codebase-graph — agentic threat model

8.1AIVSS 8.1 · High

The codebase-graph agent presents a moderate-to-high risk profile due to its deep structural analysis of source code across 42 languages and integration with FalkorDB, which could be exploited for automated vulnerability discovery or codebase poisoning if compromised.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 1.62Factor sum 4.4/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.60
Persistent Memory
0.70
Contextual Awareness
0.80
Dynamic Identity
0.10
Multi-Agent Interactions
0.50
Non-Determinism
0.40
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on external Claude Code LLMs. The primary L1 threat is indirect prompt injection via poisoned source code comments parsed by tree-sitter, potentially hijacking the underlying model's execution flow.

L2 · Data Operations✓ mapped

The agent builds a knowledge graph using FalkorDB and tree-sitter AST parsing. Threats include graph database poisoning, where malicious code structures manipulate the graph representation, and data exfiltration of sensitive IP contained in the parsed codebase.

L3 · Agent Frameworks✓ mapped

Integrates as a Claude Code plugin bundling an MCP (Model Context Protocol) server. Vulnerabilities in the MCP server implementation or insecure tool integration could allow arbitrary code execution or unauthorized filesystem traversal during AST parsing.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — deployment context depends on the user's local environment or IDE hosting Claude Code. If run without sandboxing, the MCP server could allow lateral movement or host filesystem compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there are no mentioned logging, evaluation, or guardrail mechanisms to monitor the queries executed against FalkorDB or the AST parsing outputs for anomalous behavior.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — as an open-source plugin, it lacks built-in enterprise compliance controls, access policies, or audit logging, relying entirely on the host environment's security posture.

L7 · Agent Ecosystem✓ mapped

Operates within the Claude Code ecosystem via MCP. A compromised codebase-graph plugin could feed malicious structural intelligence to other connected agents or plugins, leading to cascading trust failures across the developer's toolchain.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).