Kohala — agentic threat model
Kohala is an agent-building and operations platform with high inherent risk due to its capability to design and deploy autonomous workflows across scored data sources. A compromise of the platform could lead to widespread downstream agent manipulation and data exposure.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.60 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The specific foundation models utilized by Kohala's builder (Kai) are not disclosed. Threats include model misalignment, prompt injection, or model-level vulnerabilities affecting the generated agents.
Kohala features 'data source scoring' and 'Koans' to keep outputs live and current. This introduces risks of data/knowledge-base poisoning of the scored sources, unauthorized data exfiltration via live outputs, and lack of data lineage tracking.
As an orchestration platform with an 'Approve & Build' flow, Kohala manages agent planning and execution. Threats include insecure tool integration, memory poisoning within the built agents, and logic flaws in the autonomous workflows designed by Kai.
Not certain from the listing — The hosting, sandboxing, and execution environment for the built agents are not detailed. Threats include container escape, privilege escalation, or lateral movement if agents run in shared environments.
Kohala provides 'agent operations' and 'data source scoring', indicating built-in monitoring capabilities. However, there are risks of evaluation gaming, blind spots in agent execution logs, and drift detection gaps in live outputs.
Not certain from the listing — No specific compliance certifications (such as SOC2 or ISO), identity management, or access control policies are detailed in the public directory listing.
Kohala operates as an agent ecosystem platform where multiple agents can be designed and run. This creates threats of cascading failures across built agents, unauthorized inter-agent communication, and trust abuse between different workflows.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.