IntervAI — agentic threat model
IntervAI presents a low-to-moderate agentic risk profile, primarily acting as an interactive educational tool. Its main security risks center around the confidentiality of sensitive user PII, resumes, and voice recordings rather than autonomous system actions.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely utilizes third-party LLMs and text-to-speech/avatar models. Threats include prompt injection to bypass interview constraints, adversarial voice inputs, or model alignment issues leading to inappropriate feedback.
Not certain from the listing — processes highly sensitive user data (resumes, voice recordings, performance feedback). Threats include data exfiltration of PII, unauthorized access to stored resumes, and potential training/RAG data poisoning if user resumes are used to fine-tune models without sanitization.
Not certain from the listing — orchestrates the interview flow and feedback generation. Threats include state-machine bypasses where users manipulate the interview progression, or insecure tool integration if resume parsing libraries are vulnerable to malicious file uploads (e.g., PDF exploits).
Not certain from the listing — likely hosted on standard cloud infrastructure with web/voice streaming endpoints. Threats include denial of service on voice processing APIs, insecure storage of audio files, and standard web application vulnerabilities.
Not certain from the listing — requires robust monitoring to ensure feedback quality and detect biased or hallucinated evaluations. Gaps could lead to undetected drift in grading criteria or adversarial gaming of the scoring system.
Not certain from the listing — handles sensitive personal career data and voice biometrics, raising GDPR/CCPA compliance risks. Lack of explicit SOC2 or ISO certifications in the listing suggests potential gaps in formal security governance.
Not certain from the listing — operates primarily as a standalone user-to-agent platform. Minimal ecosystem threats unless integrated with external job boards or applicant tracking systems (ATS) in the future.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.