AgentReadyHomeAgent Listing

← Dosu

Dosu — agentic threat model

9.3AIVSS 9.3 · Critical

Dosu presents a significant security profile due to its direct integration with GitHub repositories, making it highly susceptible to indirect prompt injection via public issues and pull requests, which could lead to unauthorized repository actions or token exposure.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.82Factor sum 5.2/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.60
Self-Modification
0.10
Dynamic Tool Use
0.70
Persistent Memory
0.40
Contextual Awareness
0.80
Dynamic Identity
0.30
Multi-Agent Interactions
0.20
Non-Determinism
0.60
Opacity & Reflexivity
0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on commercial LLMs. The primary threat is indirect prompt injection, where malicious users submit GitHub issues containing adversarial instructions designed to hijack Dosu's behavior.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — processes repository code, issues, and documentation as its primary data source. Threats include knowledge-base poisoning via malicious pull requests and potential exfiltration of private repository contents if integrated with private codebases.

L3 · Agent Frameworks✓ mapped

Dosu orchestrates issue triage, commenting, and documentation updates. Vulnerabilities in its tool-calling framework could allow an attacker to manipulate GitHub API calls, leading to unauthorized issue closures, spamming, or unauthorized documentation modifications.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — hosted as a closed-source SaaS integration. A critical threat is the compromise of Dosu's hosting infrastructure, which could expose GitHub OAuth tokens or App private keys, granting attackers broad access to connected repositories.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — monitoring and guardrails are unspecified. Without robust logging and anomaly detection, stealthy prompt injection attacks or automated loops of incorrect triage actions could persist undetected.

L6 · Security & Compliance (cross-cutting)✓ mapped

Requires write permissions to GitHub issues, metadata, and potentially repository contents. The listing does not cite security compliance certifications (e.g., SOC2), posing compliance risks for enterprises integrating it into proprietary workflows.

L7 · Agent Ecosystem✓ mapped

Operates within the GitHub ecosystem alongside other developer tools. Threats include cascading feedback loops or trust abuse if other automated bots or CI/CD agents trigger or are triggered by Dosu's automated comments and issue updates.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).