Kimi‑Dev — agentic threat model
Kimi-Dev is a highly autonomous coding agent capable of multi-step planning and tool execution (file editing, test running), presenting a high risk of arbitrary code execution or repository compromise if deployed without strict sandboxing and human-in-the-loop guardrails.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Kimi-Dev is based on a 72B open-source foundation model fine-tuned via reinforcement learning. Key threats include adversarial prompt injection to bypass coding restrictions, model reprogramming to generate malicious code, and potential data poisoning of the open-source training/RL datasets.
Not certain from the listing — details on how Kimi-Dev ingests, indexes, or stores repository data (e.g., vector databases, local file caching, or RAG pipelines) are not specified. If a vector store is used, it faces risks of embedding inversion or knowledge-base poisoning.
The agent framework orchestrates multi-step planning to autonomously fix bugs and write tests. This requires deep tool integration (file system access, test runners). The primary threat is tool misuse, where the agent is manipulated into executing malicious commands or deleting critical files during its execution cycle.
Not certain from the listing — the hosting, execution environment, and sandboxing mechanisms are not detailed. Because the agent executes tests and modifies code, a lack of strict containerization or virtualized sandboxing would allow arbitrary code execution to compromise the host system.
Not certain from the listing — there is no mention of runtime guardrails, logging, or observability frameworks. Without these, malicious or unintended code modifications could pass undetected into the codebase, and evaluation gaming during RL could lead to fragile or insecure code generation.
Not certain from the listing — no security, compliance, or access control policies are defined. There is a risk of unauthorized repository access or credential leakage if the agent is granted write access to repositories without strict identity and access management (IAM) controls.
Not certain from the listing — Kimi-Dev is described as a standalone coding model and does not explicitly mention multi-agent coordination or ecosystem marketplace integrations.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).