AgentReadyHomeAgent Listing

← Superpowers Marketplace

Superpowers Marketplace — agentic threat model

8.3AIVSS 8.3 · High

The Superpowers Marketplace introduces supply chain risks by providing third-party MCP servers and commands that expand Claude Code's tool execution surface. While curated, the execution of these plugins locally poses high risks of unauthorized code execution or tool misuse if a plugin is compromised.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.8AARS uplift 0.92Factor sum 4.0/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.50
Goal-Driven Planning
0.30
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.40
Dynamic Identity
0.20
Multi-Agent Interactions
0.50
Non-Determinism
0.60
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The marketplace distributes plugins for Claude Code, but does not define or host the foundation models themselves.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No specific data operations, vector stores, or RAG pipelines are detailed in this marketplace listing.

L3 · Agent Frameworks✓ mapped

The marketplace provides MCP (Model Context Protocol) servers, commands, and skills that directly extend Claude Code's tool and workflow surface. This introduces risks of insecure tool integration, malicious commands, or tool misuse if a plugin is compromised or poorly written.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting, sandboxing, and execution environment of these plugins depend entirely on the user's local Claude Code setup and are not specified here.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in logging, guardrails, or observability tools for the plugins in this marketplace.

L6 · Security & Compliance (cross-cutting)✓ mapped

The listing notes a 'hand-picked quality selection' rather than an auto-generated index, implying a manual curation process, but lacks formal security compliance, code signing, or vulnerability scanning details.

L7 · Agent Ecosystem✓ mapped

This is a marketplace/ecosystem of plugins (MCP servers, skills) designed to extend an agent (Claude Code). Threats include compromised plugins, supply chain attacks, and cascading failures if a plugin behaves maliciously within the host agent's context.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).