AgentReadyHomeAgent ListingPricing

← Letta

Letta — agentic threat model

8.1AIVSS 8.1 · High

Letta's primary risk lies in its advanced, persistent memory capabilities, which make it highly susceptible to long-term memory poisoning and state-manipulation attacks. As a deployment platform with REST APIs and tool-calling, a compromise could lead to widespread unauthorized tool execution and data exfiltration across managed agents.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 1.09Factor sum 6.9/10Threat ×1.05Mitigation ×0.85
Autonomy of Action
0.70
Goal-Driven Planning
0.80
Self-Modification
0.90
Dynamic Tool Use
0.70
Persistent Memory
1.00
Contextual Awareness
0.80
Dynamic Identity
0.40
Multi-Agent Interactions
0.60
Non-Determinism
0.70
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Letta is model-agnostic, meaning foundation model threats (adversarial examples, alignment) depend on the developer's choice of LLM, though Letta's stateful wrapper could inherit or amplify these risks.

L2 · Data Operations✓ mapped

Letta's core value is persistent, long-term memory management. This introduces significant risks of memory/knowledge-base poisoning, unauthorized data exfiltration from the stateful store, and embedding inversion.

L3 · Agent Frameworks✓ mapped

As an agent development environment supporting tool calling and REST APIs, it is highly vulnerable to tool misuse, memory poisoning (e.g., prompt injection modifying the agent's core memory), and insecure tool integration.

L4 · Deployment & Infrastructure✓ mapped

Offers cloud deployment and REST APIs. Threats include container/host compromise of the hosted service, unauthorized API access, and lack of sandboxing for executed tools or Python SDK environments.

L5 · Evaluation & Observability✓ mapped

Promotes 'white box systems' and transparent memory, which aids observability. However, monitoring for drift, memory corruption, or adversarial manipulation of the state remains a critical gap if not explicitly configured.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The listing does not detail specific enterprise compliance standards (like SOC2, ISO) or built-in RBAC/policy enforcement mechanisms for the hosted cloud service.

L7 · Agent Ecosystem✓ mapped

Designed to deploy and manage agents at scale. This creates risks of multi-agent trust abuse, cascading failures across stateful agents, and horizontal propagation of malicious memory states.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).

These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.