Continue (JetBrains plugin) — agentic threat model
Continue presents a high-risk profile due to its deep integration into developer IDEs and support for Model Context Protocol (MCP) tools, which could allow malicious prompt injections to execute arbitrary code or exfiltrate sensitive local codebases.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Continue is model-agnostic, allowing users to configure local or cloud LLMs, meaning L1 threats depend entirely on the user's chosen model provider.
Integrates local codebase context, documentation, and prompt templates. Threats include local codebase data exfiltration via prompt injection and poisoning of local vector embeddings or docs.
Uses MCP (Model Context Protocol) and hub-defined rules. Threats include insecure tool integration via MCP servers, tool misuse (e.g., executing arbitrary terminal commands or file modifications), and rule bypass.
Runs locally within the IntelliJ IDE process or as a plugin. Threats include privilege escalation to the developer's local machine, unauthorized access to local files, and insecure syncing with the Continue hub.
Not certain from the listing — does not detail built-in evaluation, guardrails, or logging mechanisms beyond standard IDE logging and hub sync telemetry.
Not certain from the listing — lacks explicit details on enterprise access controls, authentication for MCP servers, or compliance certifications, relying on IDE-level permissions.
Syncs configurations, rules, and prompts from the Continue hub. Threats include compromised hub accounts distributing malicious rules or MCP configurations to developer machines.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).