AgentReadyHomeAgent Listing

← Endor Labs ai-plugins

Endor Labs ai-plugins — agentic threat model

8.1AIVSS 8.1 · High

This agent possesses elevated risk due to its integration with Claude Code and the local filesystem, allowing it to execute the endorctl CLI, scan codebases, and directly modify source code to apply security fixes.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.7AARS uplift 1.28Factor sum 5.3/10Threat ×1.05Mitigation ×0.9
Autonomy of Action
0.70
Goal-Driven Planning
0.60
Self-Modification
0.20
Dynamic Tool Use
0.80
Persistent Memory
0.30
Contextual Awareness
0.70
Dynamic Identity
0.40
Multi-Agent Interactions
0.50
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on the host Claude Code model (likely Claude 3.5 Sonnet) for reasoning, making it susceptible to prompt injection attacks that could trick the agent into ignoring real vulnerabilities or introducing malicious code under the guise of a dependency fix.

L2 · Data Operations✓ mapped

The agent processes local codebase files, dependency manifests, and Endor Labs scan results. Risks include data exfiltration of proprietary source code or dependency trees if the agent is manipulated by malicious inputs within the codebase.

L3 · Agent Frameworks✓ mapped

Orchestrated via Claude Code and MCP tools to drive the endorctl CLI. Insecure tool integration could allow an attacker to hijack CLI arguments or exploit the agent's capability to write 'in-place' code fixes, leading to unauthorized code modification.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — the agent runs locally within the user's development environment or CI/CD pipeline where Claude Code is hosted. If the environment lacks strict sandboxing, a compromised agent could escalate privileges or access sensitive local environment variables and secrets.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — relies on Claude Code's built-in logging and Endor Labs platform reporting. There is a risk of blind spots if the agent silently fails to report a critical vulnerability or if its remediation actions are not explicitly audited before commit.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent manages sensitive API keys/credentials to provision and authenticate the endorctl CLI. Weaknesses in credential storage or lack of explicit human-in-the-loop approval policies for code commits present significant compliance and security risks.

L7 · Agent Ecosystem✓ mapped

Operates as a plugin within the Claude Code ecosystem. It interacts directly with the primary coding agent, creating a risk of cascading trust failures where a compromised primary agent misuses the Endor Labs plugin tools to bypass security scans.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).