AgentReadyHomeAgent ListingPricing

← Minion AI

Minion AI — agentic threat model

9.5AIVSS 9.5 · Critical

Minion AI is a closed-source browser agent designed to execute tasks on the web, presenting high risk due to its autonomy, dynamic tool use (browser automation), and susceptibility to indirect prompt injection from untrusted web content.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.71Factor sum 5.4/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.40
Contextual Awareness
0.60
Dynamic Identity
0.70
Multi-Agent Interactions
0.10
Non-Determinism
0.60
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on commercial LLMs optimized for web navigation. The primary threat is indirect prompt injection, where malicious text on a visited website hijacks the agent's instructions.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — likely handles sensitive user session data, cookies, or credentials to perform tasks. Threats include data exfiltration of these session tokens or poisoning of the agent's knowledge base via scraped web content.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — likely uses a browser automation framework (e.g., Playwright or Puppeteer) driven by LLM planning. Threats include insecure tool integration where the agent is tricked into executing unintended clicks, form submissions, or navigation.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — could run as a local browser extension or in a cloud-hosted container. If cloud-hosted, risks include container escape, IP blacklisting, and insecure storage of user session states.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no details on observability or guardrails. A lack of real-time monitoring could allow the agent to perform unauthorized or harmful actions on third-party sites without user detection.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — closed source with no mentioned security compliance (e.g., SOC2). The lack of explicit policy controls means there may be no boundaries preventing the agent from accessing sensitive financial or personal accounts if instructed.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — primarily operates as a single-user web agent. However, interacting with dynamic web ecosystems and APIs exposes it to malicious third-party agents or compromised web services.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).

These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.