Cursor SDK (plugin) — agentic threat model
The Cursor SDK plugin acts as a development scaffold and template, presenting low direct runtime risk but high supply-chain risk, as vulnerabilities in its prompts or auth/CI templates could lead to insecure downstream agent implementations.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The plugin relies on Cursor's underlying LLMs (e.g., Claude, GPT-4). Threats include prompt injection bypassing the plugin's rules or generating insecure SDK patterns.
Not certain from the listing — The plugin uses local codebase context via Cursor. Threats include codebase data exfiltration if malicious MCP tools are configured.
The plugin guides orchestration using @cursor/sdk and MCP. Threats include insecure tool integration, insecure MCP wiring, and generation of vulnerable agent code.
The plugin scaffolds CI/automation pipelines. Threats include insecure CI/CD configurations, credential leakage in logs, and lack of sandboxing for executed scripts.
Not certain from the listing — No built-in evaluation or observability tools are mentioned for the generated agents.
The plugin teaches auth/token handling. Threats include hardcoded credentials, insecure token storage, and lack of compliance audits in generated scaffolds.
The plugin integrates with the Model Context Protocol (MCP) ecosystem. Threats include connecting to malicious/untrusted MCP servers or cascading failures in multi-agent setups.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).