remember (claude-remember) — agentic threat model
The 'remember' agent introduces significant privacy and prompt-injection risks by persisting and summarizing local Claude Code session logs across sessions. Its primary threat vector is memory poisoning, where malicious content in past conversations could be summarized and later executed or leaked during subsequent sessions.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.50 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 1.00 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Relies on Claude Code's underlying foundation models for summarization and compression. Threat: Indirect prompt injection where malicious inputs in past conversations are summarized into persistent memory, potentially hijacking future sessions.
Extracts, summarizes, and compresses local session logs into tiered daily logs. Threat: Local data exfiltration or unauthorized access to sensitive developer data stored in plaintext logs, and memory poisoning of the knowledge base.
Orchestrates memory retrieval and storage via hooks. Threat: Insecure tool integration where the hooks reading/writing local session logs can be manipulated to read unauthorized files or inject malicious state into the agent framework.
Runs locally as a plugin for Claude Code. Threat: Local file system compromise or privilege escalation if the host environment running Claude Code is not properly sandboxed.
Not certain from the listing — there is no mention of evaluation, guardrails, or observability tools to monitor the integrity of the summarized logs or detect anomalous memory injections.
Not certain from the listing — as a free, open-source plugin, it lacks explicit compliance frameworks, access control policies, or audit logging mechanisms, though it explicitly notes the privacy-relevant nature of local persistence.
Acts as an extension/plugin interacting directly with Claude Code. Threat: Cascading failures where a compromise of the memory plugin leads to the compromise of the primary Claude Code agent, allowing unauthorized local actions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).