AgentReadyHomeAgent Listing

← Lumen

Lumen — agentic threat model

5.1AIVSS 5.1 · Medium

Lumen presents a low-to-moderate risk profile due to its fully local, cloud-free architecture, though its exposure of local codebase structures via an MCP server introduces potential data exfiltration risks if the client agent is compromised.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.5AARS uplift 0.85Factor sum 2.0/10Threat ×0.95Mitigation ×0.8
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.30
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.30
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Uses local models via Ollama or LM Studio for embeddings, and Claude as the client LLM. Risks include adversarial prompt injection via the codebase files being indexed, which could manipulate Claude's behavior when it queries the MCP server.

L2 · Data Operations✓ mapped

Performs local Go AST-based indexing and stores embeddings locally. Primary threat is codebase poisoning, where malicious code comments or structures are indexed to manipulate vector search results or exploit the parser.

L3 · Agent Frameworks✓ mapped

Exposes semantic search tools to Claude via the Model Context Protocol (MCP). Risks include tool misuse where a compromised or rogue client agent queries sensitive parts of the codebase excessively.

L4 · Deployment & Infrastructure✓ mapped

Runs as a local MCP server with no cloud or npm dependencies, significantly reducing supply chain and remote network exposure. Threats are limited to local host compromise and unauthorized local processes connecting to the MCP port.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of built-in logging, search query auditing, or guardrails to monitor what codebase data is being requested or returned through the MCP server.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — the directory does not specify any authentication or authorization mechanisms to restrict which local clients or users can connect to the MCP server and access the indexed codebase.

L7 · Agent Ecosystem✓ mapped

Operates in a developer-to-agent ecosystem by exposing tools to Claude. The main threat is trust abuse, where Claude (or another connected agent) is manipulated by external inputs to exfiltrate proprietary code structure via the search tools.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).