AgentReadyHomeAgent Listing

← Compound Engineering Plugin

Compound Engineering Plugin — agentic threat model

9.6AIVSS 9.6 · Critical

The Compound Engineering Plugin introduces significant agentic risk by bundling 42 skills, 6 agents, and an MCP server directly into local developer environments (Claude Code, Codex), creating a high-impact vector for tool misuse and local system compromise.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 1.12Factor sum 6.8/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.90
Self-Modification
0.30
Dynamic Tool Use
0.90
Persistent Memory
0.50
Contextual Awareness
0.80
Dynamic Identity
0.40
Multi-Agent Interactions
0.90
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on external foundation models (Claude Code, Codex) which are susceptible to prompt injection, adversarial reprogramming, and mis-aligned code generation outputs.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — the data operations layer likely involves local codebase indexing and context retrieval, presenting risks of local data exfiltration or poisoning if malicious code is processed.

L3 · Agent Frameworks✓ mapped

The agent framework orchestrates 42 skills, 6 agents, and 3 commands. This high density of tool integration increases the risk of tool misuse, insecure tool execution, and framework-level vulnerabilities during code generation.

L4 · Deployment & Infrastructure✓ mapped

The bundled Model Context Protocol (MCP) server runs locally alongside developer tools. This exposes the host environment to potential privilege escalation, local command execution, and directory traversal if the MCP server is compromised.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in evaluation, logging, or guardrails to monitor the execution of the 42 skills or detect anomalous agent behaviors.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — being an open-source plugin marketplace, it lacks apparent centralized identity, authorization, or compliance controls, relying entirely on the host IDE's security posture.

L7 · Agent Ecosystem✓ mapped

The ecosystem features 6 distinct agents interacting via compounding workflows. This multi-agent architecture introduces risks of cascading failures, agent-to-agent trust abuse, and unexpected emergent behaviors across the marketplace plugins.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).