superpowers — agentic threat model
The 'superpowers' agent presents a high-risk profile due to its ability to execute arbitrary scripts and plans directly within the developer's local environment. As a plugin marketplace, it introduces significant supply chain risks if malicious or unvetted skills are executed.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.90 | |
| Self-Modification | 0.50 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent is a plugin marketplace and skills library designed for Claude Code, meaning it relies on Claude (Anthropic) as its foundation model, inheriting its inherent alignment and robustness profiles.
Not certain from the listing — While it operates on local codebases (git worktrees, TDD, debugging), the listing does not specify any dedicated vector databases, RAG pipelines, or data lineage controls.
The agent provides orchestration commands (/write-plan, /execute-plan) and a skills-search tool. Skills inject instructions directly into the agent's context, creating risks of prompt injection, tool misuse, and insecure execution of plan steps.
The agent runs bundled scripts directly in the host environment (e.g., developer machine or CI/CD). This creates severe risks of host compromise, privilege escalation, and unauthorized local file access if malicious skills are executed.
Not certain from the listing — There is no mention of built-in logging, guardrails, or evaluation frameworks to monitor skill execution or detect anomalous behavior during plan execution.
Not certain from the listing — No security controls, authentication mechanisms, or compliance frameworks are described for validating skills or restricting execution permissions.
As a plugin marketplace and skills library, the agent is highly exposed to supply chain attacks. Users may download and execute untrusted third-party skills that run arbitrary scripts, leading to cascading ecosystem compromises.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).