AgentReadyHomeAgent Listing

← Devon

Devon — agentic threat model

8.4AIVSS 8.4 · High

Devon is an open-source AI pair programmer that operates within local developer environments, presenting a moderate-to-high risk profile due to its access to proprietary codebases and potential execution of local tools. Without explicit sandboxing or verification controls mentioned, its integration into workflows requires careful local isolation to prevent code exfiltration or malicious code injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.9Factor sum 3.6/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.50
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.10
Multi-Agent Interactions
0.10
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation models powering Devon are not disclosed. Threats include adversarial prompt injection that could trick the model into generating insecure code or introducing subtle backdoors into the developer's codebase.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — It is unclear how Devon indexes, stores, or processes local codebase data (e.g., via local vector databases or AST parsing). Risks include data exfiltration of intellectual property if code snippets are sent to external LLM APIs without encryption or anonymization.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — The orchestration framework for Devon's debugging and code suggestion capabilities is not detailed. Insecure tool integration is a primary threat if the agent can execute local terminal commands, compilers, or test runners without strict user confirmation.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment architecture (local IDE extension, CLI, or self-hosted container) is not specified. If run locally without containerization or sandboxing, a compromised agent could lead to local privilege escalation or host compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, logging, or observability tools to monitor Devon's suggestions or actions, creating blind spots for security teams trying to audit AI-generated code.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No compliance certifications (such as SOC2 or ISO 27001) or enterprise policy controls are mentioned. Organizations must rely on external code review processes to ensure compliance and security.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — Devon appears to operate as a standalone pair programmer rather than a multi-agent system, meaning ecosystem risks like agent-to-agent trust abuse are likely minimal or absent.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).