Iris — agentic threat model
Iris presents a high-risk profile primarily due to its integration with sensitive communication channels (email and calendar), making it highly vulnerable to indirect prompt injection attacks via incoming emails.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.70 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely relies on third-party LLMs. The primary threat is indirect prompt injection via incoming emails, which could hijack the model's instructions to draft malicious replies or leak information.
Not certain from the listing — requires ingestion of email and calendar data. Threats include unauthorized access to cached PII, lack of data isolation between users, and potential data exfiltration via email content.
Not certain from the listing — orchestrates actions between email and calendar APIs. Insecure tool integration could allow an attacker to trigger unauthorized email sends, calendar deletions, or meeting modifications.
Not certain from the listing — requires hosting and OAuth token management for email/calendar access. Compromise of the infrastructure could expose highly sensitive user credentials and access tokens.
Not certain from the listing — requires continuous monitoring to detect anomalous email drafts or scheduling behavior, especially given the non-deterministic nature of LLMs handling untrusted inputs.
Not certain from the listing — must implement strict OAuth scopes (least privilege) and comply with data privacy regulations (GDPR/CCPA) given the handling of sensitive inbox data.
Not certain from the listing — potential risk of interacting with external scheduling agents or malicious calendar invites, leading to automated exploitation or cascading trust failures.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.