AgentReadyHomeAgent Listing

← Continue (VS Code extension)

Continue (VS Code extension) — agentic threat model

8.4AIVSS 8.4 · High

Continue presents a high-risk profile due to its 'Agent mode' executing Model Context Protocol (MCP) servers with potential shell access directly on the developer's local machine. The synchronization of configurations and rules from an external hub introduces a significant supply-chain vector for prompt injection or malicious tool execution.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.83Factor sum 5.5/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.70
Goal-Driven Planning
0.60
Self-Modification
0.30
Dynamic Tool Use
0.80
Persistent Memory
0.40
Contextual Awareness
0.80
Dynamic Identity
0.20
Multi-Agent Interactions
0.50
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Continue is model-agnostic and supports various LLMs via config.yaml. Threats depend heavily on the chosen foundation model, including prompt injection, model alignment issues, and adversarial reprogramming.

L2 · Data Operations✓ mapped

Ingests local codebase data, documentation, and context providers. Threats include local data exfiltration via malicious prompts, poisoning of local documentation sources, and unauthorized access to sensitive files within the workspace.

L3 · Agent Frameworks✓ mapped

Orchestrates agentic behavior using config.yaml and MCP servers. Threats include tool misuse (e.g., executing destructive shell commands via MCP), insecure tool integration, and prompt injection bypassing system-defined rules.

L4 · Deployment & Infrastructure✓ mapped

Runs locally as a VS Code extension. Threats include local host compromise and privilege escalation if MCP servers run unsandboxed, as well as insecure storage of API keys and secrets in the local config.yaml.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No explicit mention of built-in evaluation, logging, or guardrails, though rules are injected into every request. Gaps in observability could allow malicious tool executions to go unnoticed.

L6 · Security & Compliance (cross-cutting)✓ mapped

Syncs configurations and rules from hub.continue.dev. Threats include compromised hub synchronization leading to malicious rule injection, lack of centralized enterprise policy enforcement, and compliance gaps regarding local code processing.

L7 · Agent Ecosystem✓ mapped

Integrates with external MCP servers and syncs assistants via the hub. Threats include supply chain attacks from compromised third-party MCP servers or malicious assistant configurations downloaded from the hub.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).