dash0 — agentic threat model
Dash0 is an observability plugin for Claude Code that poses a moderate-to-high data exposure risk, as it captures and transmits sensitive session telemetry (including LLM invocations and tool calls) to external OTel backends without built-in sanitization or security controls mentioned.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.00 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.10 | |
| Opacity & Reflexivity | 0.10 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The plugin does not provide foundation models itself, but because it intercepts LLM invocations from Claude Code, any vulnerabilities in the underlying model (like prompt injection) could result in malicious payloads being captured and logged in the telemetry stream.
The plugin captures and processes session data, tool calls, and LLM inputs/outputs. The primary threat is data exfiltration or leakage of sensitive information (such as API keys, PII, or proprietary code) contained within those traces to unauthorized OTel backends.
Instruments Claude Code sessions via hooks. If the hook mechanism is compromised, an attacker could manipulate the telemetry data, bypass logging, or exploit the integration to intercept tool execution details.
Telemetry is sent to Dash0 or any OTel-compatible backend. Threats include insecure transmission (lack of TLS), unauthorized access to the OTel collector, or interception of the telemetry stream in transit.
As an observability tool, its main risk is the accidental logging of sensitive data (credentials, secrets, PII) in traces, creating a high-value target for attackers looking to harvest credentials from monitoring logs.
Not certain from the listing — There is no mention of access control, encryption at rest/in transit, or compliance certifications (like SOC2) for how the captured telemetry data is handled and secured.
The plugin operates within the Claude Code ecosystem. If Claude Code interacts with other agents, this plugin could inadvertently capture and expose multi-agent interaction traces, leading to cascading data exposure across the ecosystem.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).