AgentReadyHomeAgent Listing

← Sentry skill-scanner

Sentry skill-scanner — agentic threat model

6.2AIVSS 6.2 · Medium

The Sentry skill-scanner presents a moderate security risk; while designed as a defensive tool to audit other skills, its deep read access to skill directories and scripts makes it a high-value target for indirect prompt injection and local information disclosure.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.5AARS uplift 1.35Factor sum 3.0/10Threat ×1.0Mitigation ×0.9
Autonomy of Action
0.40
Goal-Driven Planning
0.30
Self-Modification
0.10
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.50
Dynamic Identity
0.10
Multi-Agent Interactions
0.20
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on a general-purpose LLM to evaluate prompt-injection risks and suspicious instructions, making it vulnerable to adversarial bypasses or indirect prompt injection from the very files it scans.

L2 · Data Operations✓ mapped

The agent reads skill directories, SKILL.md, and bundled scripts. The primary threat is data exfiltration of sensitive configurations or intellectual property within those directories, or poisoning of the scanner's context via malicious files.

L3 · Agent Frameworks✓ mapped

The agent orchestrates a review workflow over directories. Vulnerabilities include insecure tool integration (file system readers) and potential path traversal if the directory path inputs are not sanitized.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — the hosting environment and sandboxing of the script-evaluation process are unspecified. If the scanner executes or parses scripts without a secure sandbox, it could lead to local code execution.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of how the scanner's own decisions are logged, audited, or protected against evaluation gaming (e.g., a malicious skill hiding its true intent).

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — lacks details on authorization controls restricting which directories the scanner can access, or compliance audits for the tool itself.

L7 · Agent Ecosystem✓ mapped

Directly interacts with the ecosystem by scanning other installed skills. Threats include A2A trust abuse, where a malicious skill exploits the scanner's read access, or the scanner itself being used as a vector to map out vulnerabilities across the agent ecosystem.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).