AgentReadyHomeAgent Listing

← offensive-osint (Claude-Red)

offensive-osint (Claude-Red) — agentic threat model

8.7AIVSS 8.7 · High

The offensive-osint agent possesses high agentic risk due to its ability to autonomously orchestrate powerful reconnaissance tools and query sensitive external APIs (Shodan, breach databases). Without built-in guardrails or sandboxing, a compromise or prompt injection could lead to unauthorized scanning, credential exposure, or SSRF.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 1.23Factor sum 4.7/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.80
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.30
Contextual Awareness
0.60
Dynamic Identity
0.20
Multi-Agent Interactions
0.20
Non-Determinism
0.50
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely utilizes Anthropic's Claude models given the 'Claude-Red' name, which are susceptible to prompt injection, jailbreaking to bypass safety filters regarding offensive reconnaissance, and adversarial inputs designed to trigger malicious tool execution.

L2 · Data Operations✓ mapped

Processes highly sensitive external data including breach databases, GitHub leaks, and infrastructure maps. Risks include ingestion of poisoned OSINT data, malicious payloads embedded in target metadata (e.g., DNS records or Shodan banners) leading to injection, and lack of data provenance for harvested credentials.

L3 · Agent Frameworks✓ mapped

Orchestrates complex multi-step reconnaissance workflows using external APIs (Shodan, Censys, geolocation, crypto tracing). High risk of tool misuse where an attacker manipulates the agent's planning to scan unauthorized targets or exfiltrate API keys via outbound queries.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — as an open-source 'Agent Skill', deployment depends on the user's environment. However, it requires storage of sensitive API keys (Shodan, Censys, etc.) and outbound network access to query external services, presenting risks of credential theft and SSRF if not sandboxed.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no built-in logging, guardrails, or observability mechanisms are described. Without external monitoring, malicious or unauthorized reconnaissance activities (e.g., targeting restricted infrastructure) could go undetected.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — being an open-source skill, it lacks native compliance frameworks, access controls, or authorization policies. It relies entirely on the host application to enforce boundaries on what targets can be queried.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — described as a standalone 'reconnaissance skill' from Claude-Red, but could be integrated into larger multi-agent offensive security frameworks, introducing risks of cascading tool execution or unauthorized delegation of scanning tasks.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).