← Continual Learning (Cursor plugin)
Continual Learning (Cursor plugin) — agentic threat model
This agent presents a moderate-to-high risk profile due to its direct write access to project files (AGENTS.md) and its ingestion of full conversation transcripts, which could lead to persistent memory poisoning and indirect prompt injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.70 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.90 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on the underlying LLM configured within the host Cursor environment. The primary L1 threat is indirect prompt injection, where malicious code or comments in the workspace manipulate the model during transcript processing.
The agent reads full conversation transcripts and writes to AGENTS.md. This creates a high risk of data poisoning, where adversarial inputs in the conversation transcript are distilled into persistent project memory, permanently altering the agent's future behavior.
The framework orchestrates transcript-driven memory extraction and file updates. Vulnerabilities here include insecure memory poisoning and lack of validation on the 'high-signal' filtering logic, potentially allowing attackers to inject arbitrary instructions into AGENTS.md.
Runs locally as a Cursor plugin. The infrastructure security is entirely dependent on the local workstation's security posture and Cursor's internal sandbox. If compromised, it has the local user's privileges to read/write workspace files.
Not certain from the listing — there is no mention of built-in guardrails, evaluation mechanisms, or logging to detect when poisoned or malicious memory bullets are being appended to the AGENTS.md file.
Not certain from the listing — lacks explicit compliance controls, access policies, or audit logs beyond standard git tracking of the AGENTS.md file. It relies on the user manually reviewing git diffs to catch unauthorized memory modifications.
Designed to interact with other coding agents by shaping their instructions across sessions. A compromise or poisoning of this agent's memory output directly results in cascading failures and compromised behavior of any other agent reading AGENTS.md.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).