AgentReadyHomeAgent Listing

← conductor

conductor — agentic threat model

9.2AIVSS 9.2 · Critical

Conductor introduces significant agentic risk by turning Claude Code into a project-management tool with direct write access to the working tree, creating a high-impact vector for automated code injection and unauthorized repository modification.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.2AARS uplift 1.02Factor sum 5.4/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.80
Self-Modification
0.40
Dynamic Tool Use
0.80
Persistent Memory
0.60
Contextual Awareness
0.70
Dynamic Identity
0.10
Multi-Agent Interactions
0.20
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Conductor relies on Claude Code (Anthropic's underlying Claude models). It is vulnerable to prompt injection that could hijack the 'Context → Spec → Implement' flow to generate malicious code or alter specifications.

L2 · Data Operations✓ mapped

The plugin reads and persists context across the working tree. If malicious files or untrusted inputs are introduced into the repository, they poison the context, leading to compromised specifications and downstream implementations.

L3 · Agent Frameworks✓ mapped

Conductor orchestrates planning and implementation commands. Vulnerabilities here include insecure tool integration where the 'Implement' phase executes arbitrary shell commands or writes unauthorized files to the local filesystem.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — As a Claude Code plugin, it likely runs locally in the user's terminal or development environment. If unsandboxed, compromised execution can lead to full host compromise and lateral movement within the developer's network.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, logging, or evaluation mechanisms to detect when the implementation phase deviates from the spec or introduces security vulnerabilities.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The tool operates with the user's local permissions and lacks explicit authorization boundaries, access controls, or audit logging for the modifications it makes to the codebase.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — While primarily a local developer tool, if integrated into CI/CD pipelines or multi-agent workflows, compromised outputs could propagate downstream, leading to supply chain attacks.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).