Kilo Code — agentic threat model
Kilo Code presents a high-risk profile due to its ability to execute terminal commands and automate browsers directly on the host machine, combined with an extensible MCP tool marketplace. While open-source transparency and user-approval gates mitigate some risk, a prompt injection attack could lead to full local host compromise.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.60 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Connects to 400+ frontier and open models via OpenRouter and similar providers. This introduces exposure to model-specific vulnerabilities, adversarial prompt injections, and potential data leakage depending on the chosen model provider's privacy policy.
Not certain from the listing — operates directly on local codebases and workspace files, but details on local vector embeddings, RAG indexing, or secure data handling of sensitive code assets are not specified.
Features dedicated modes (Architect, Coder, Debugger) and supports terminal and browser automation. The primary threat is tool misuse or hijacking, where malicious instructions in a codebase could trick the agent into executing destructive terminal commands.
Runs locally as a VS Code or JetBrains IDE extension. This deployment model means the agent operates with the user's local privileges, posing a severe risk of host compromise, local file exfiltration, or unauthorized network access if compromised.
Not certain from the listing — mentions user approval for browser automation, but lacks details on built-in guardrails, automated safety evaluations, or comprehensive logging of executed terminal commands.
Not certain from the listing — open-source nature allows transparent configuration and community auditing, but no enterprise compliance certifications (e.g., SOC2, ISO) or formal policy enforcement mechanisms are mentioned.
Supports an MCP-style server marketplace for extending the agent with custom tools. This introduces ecosystem risks, such as users installing malicious or poorly vetted third-party MCP servers that could compromise the IDE environment.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).