← Google Agent Development Kit
Google Agent Development Kit — agentic threat model
The Google Agent2Agent protocol introduces significant ecosystem risks by enabling cross-organizational multi-agent collaboration, where a single compromised agent could exploit trust boundaries to trigger cascading failures or unauthorized tool execution across peer networks.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 1.00 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The A2A protocol is model-agnostic and does not specify foundation models, meaning model-level threats like adversarial examples or data poisoning depend entirely on the underlying LLMs chosen by implementing organizations.
Not certain from the listing — The description focuses on communication protocols and does not detail training data, RAG pipelines, or vector store integrations, leaving data-level threats unaddressed at the protocol layer.
The framework orchestrates multi-agent communication and tool integration. Vulnerabilities here include insecure tool negotiation, protocol-level injection via JSON-RPC 2.0, and framework-level exploits that could allow malicious agents to trigger unauthorized local tools.
Built on HTTP, JSON-RPC, and Server-Sent Events (SSE) for cloud deployment. Infrastructure threats include exposed endpoints, lack of network sandboxing between communicating agents, and potential denial-of-service via long-running asynchronous SSE connections.
Not certain from the listing — The protocol description does not detail built-in evaluation, monitoring, logging, or guardrail mechanisms to detect anomalous agent behaviors or malicious payloads during inter-agent communication.
Emphasizes secure collaboration and preventing the exposure of internal states or proprietary tools. However, specific identity, authorization, and compliance standards (like OAuth, NIST, or ISO) are not explicitly detailed in the protocol listing.
Highly critical layer for this protocol. The primary threats involve rogue or compromised peer agents abusing the A2A trust model, exploiting capability discovery mechanisms to map target networks, and causing cascading failures across organizational boundaries.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.