Threat model · 2026

The 12 threat classes of the AI dev stack

A defensive taxonomy for the Claude Code, Model Context Protocol (MCP), and agent-dev ecosystem — think OWASP Top 10 for AI tooling. Traditional SAST + dependency scanning miss these because the dangerous behavior is often legal code with bad intent, the manifest's capability claims aren't compiler-enforced, and the agent is a new execution environment that can be talked into calling tools it shouldn't. These are the classes Assay reasons about.

T1Prompt injection via tool descriptions or responses

MCP serverscritical

A malicious or compromised MCP server returns content that looks like normal tool output but is structured to be re-read by the agent as instructions (indirect prompt injection). Both the tool description registered at handshake and the tool response strings are read in the model's instruction context — untrusted bytes become trusted commands.

T2Capability vs. claim mismatch

all artifactshighAssay detects

The README, manifest, or tool description advertises one set of behaviors; the code implements a broader or different set. A "Markdown formatter" that opens sockets and reads dotfiles. The deception is the gap — and computing that claim-vs-code diff is Assay's headline behavior.

T3Cross-tool exfiltration chains

MCP / plugin bundlescritical

No single tool is dangerous alone. Tool A reads a sensitive file; tool B makes outbound requests. Asked for an innocent workflow, the agent composes them — read this log, file an issue with the contents — and data leaves the machine. The vulnerability is structural, at the agent layer, not in any one function.

T4Confused-deputy escalation

plugins / MCPhigh

An innocent-looking tool wraps a dangerous one and inherits the agent's trust context. The user approved format_repo, not the Bash call it constructs internally — so they've functionally approved everything the wrapper transitively does.

T5Supply-chain attacks via updates

all artifactscritical

1.0.0 was clean; 1.0.1 isn't. Same identity, changed content. Account takeover, typosquatting (rainbow-formatter vs rainbow-formatter-2), and dependency-chain compromise all transplant directly from npm/PyPI to plugin and MCP registries. A snapshot scan says nothing about the next version — so re-scan on every update.

T6Hook abuse

plugins / settingshighAssay detects

Hooks run shell commands on lifecycle events (UserPromptSubmit, SessionStart). Every registered hook is a persistent shell-exec on the user's machine, triggered by events they don't associate with the plugin that installed it — and it can survive uninstall if settings.json isn't also cleaned.

T7Settings drift

settingsmedium

A broad permission granted months ago — Bash(*), Write(*), WebFetch(*) — is still live and forgotten. New plugins inherit those grants without the user being reprompted, quietly removing the guardrails they assumed were there.

T8Credential / secret exfiltration

all artifactscriticalAssay detects

The artifact reads credential files (~/.ssh, ~/.aws, ~/.gnupg, ~/.kube, .env) and sends them somewhere unauthorized. Read, send. The mechanics aren't subtle — the volume of artifacts to review is what lets it slip through. Assay's most reliable detection: it traces data flow from credential reads to network sinks.

T9Filesystem read/write overreach

all artifactsmedium–highAssay detects

The artifact reaches beyond its declared scope — a linter reading all of $HOME, a doc generator following symlinks out of the project, a test runner writing predictably-named files into /tmp. A privacy issue, a compliance issue, and a footgun.

T10Cost-bleed / DoS

MCP / pluginsmedium

Economic denial of service: no data taken, no machine broken — the bill spikes. An MCP server returns enormous responses to drain context; a hook prepends a multi-KB preamble to every prompt; a tool description is megabytes long. The user pays per token; the artifact dictates the tokens.

T11Skill capability-grant & auto-activation abuse

skillshigh

A skill is natural-language instruction plus a capability grant. A "commit-message formatter" declares allowed-tools: [Bash, Write] (far more than formatting needs), and a broadly-written description auto-activates it on tasks the user never associated with it — at which point its body's instructions execute in the user's context.

T12Connector OAuth-scope & remote-egress overreach

claude.ai connectorshigh

A hosted connector the user authorizes once, then it speaks to the model under the granted OAuth scopes. The risk is the gap between the scopes and data-egress it requests and what its purpose needs — compounded by a closed-source implementation the user can't audit. Assay reviews the declared metadata and is explicit about what it can't see.


This is the 2026 edition (static analysis / Ring 0). The full write-up — with per-class indicators, author mitigations, and exactly how Assay detects each — is in docs/threat-model-2026.md. See also How it works for the 5-stage methodology that maps findings to these classes.

← How it worksFAQ →