Gemini CLI — agentic threat model
Gemini CLI presents a high-risk profile due to its direct shell execution and file manipulation capabilities combined with web grounding, making it highly susceptible to indirect prompt injection leading to arbitrary code execution on the host system.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Uses Gemini 2.5 Pro. Highly vulnerable to indirect prompt injection via web grounding (Google Search) or reading untrusted local files, which can hijack the model's reasoning-and-act loops.
Processes local files, multimodal inputs (images, video), and web grounding data. Risks include data exfiltration if the model is manipulated into sending local file contents to external endpoints via search queries or MCP tools.
Orchestrated via ReAct loops and Model Context Protocol (MCP). Insecure tool integration is a primary threat, as the framework translates LLM outputs directly into terminal commands and file modifications.
Deploys directly on the user's host operating system (Windows, macOS, Linux). Lacks default sandboxing, meaning any compromised execution inherits the full privileges of the terminal user, leading to potential host compromise.
Not certain from the listing — the tool runs directly in the terminal, likely relying on standard output/error for logging, with no explicit mention of security guardrails, evaluation frameworks, or policy enforcement.
Not certain from the listing — it likely inherits the host user's permissions and environment variables without its own independent access control, authentication, or compliance auditing mechanisms.
Integrates with Gemini Code Assist and external MCP tools. Threats include trust abuse with third-party MCP servers and cascading failures if an external tool returns malicious payloads that hijack the CLI's execution flow.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).