conductor — agentic threat model
Conductor introduces significant agentic risk by turning Claude Code into a project-management tool with direct write access to the working tree, creating a high-impact vector for automated code injection and unauthorized repository modification.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.40 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Conductor relies on Claude Code (Anthropic's underlying Claude models). It is vulnerable to prompt injection that could hijack the 'Context → Spec → Implement' flow to generate malicious code or alter specifications.
The plugin reads and persists context across the working tree. If malicious files or untrusted inputs are introduced into the repository, they poison the context, leading to compromised specifications and downstream implementations.
Conductor orchestrates planning and implementation commands. Vulnerabilities here include insecure tool integration where the 'Implement' phase executes arbitrary shell commands or writes unauthorized files to the local filesystem.
Not certain from the listing — As a Claude Code plugin, it likely runs locally in the user's terminal or development environment. If unsandboxed, compromised execution can lead to full host compromise and lateral movement within the developer's network.
Not certain from the listing — There is no mention of built-in guardrails, logging, or evaluation mechanisms to detect when the implementation phase deviates from the spec or introduces security vulnerabilities.
Not certain from the listing — The tool operates with the user's local permissions and lacks explicit authorization boundaries, access controls, or audit logging for the modifications it makes to the codebase.
Not certain from the listing — While primarily a local developer tool, if integrated into CI/CD pipelines or multi-agent workflows, compromised outputs could propagate downstream, leading to supply chain attacks.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).