MultiOn — agentic threat model
MultiOn exhibits a high-risk agentic profile due to its ability to autonomously navigate the live web, interact with third-party services, and execute multi-step workflows, making it highly susceptible to indirect prompt injection and unauthorized transaction execution.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.70 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing mentions natural language command interpretation and structured LLM data scraping but does not specify the underlying foundation models. Threats include indirect prompt injection via malicious web page content and model reprogramming.
Not certain from the listing — The agent performs advanced full-page structured LLM data scraping, but the listing does not detail how this scraped data is stored, cached, or protected. Threats include data exfiltration of sensitive scraped session data.
The agent framework orchestrates complex multi-step web navigation and service interaction based on user inputs. Threats include tool misuse, where malicious web elements hijack the agent's browser control to perform unauthorized actions (e.g., clicking malicious buttons or submitting forms).
The infrastructure supports secure remote sessions with native proxy support and a Chrome browser extension for local interaction. Threats include session hijacking, proxy abuse, and local privilege escalation or credential theft via the browser extension.
Not certain from the listing — There is no mention of real-time monitoring, execution guardrails, or logging mechanisms to detect and stop anomalous or malicious agent behaviors during web sessions.
Not certain from the listing — While 'secure remote sessions' are mentioned, the listing lacks details on formal compliance certifications (e.g., SOC2), user authorization boundaries, or policy enforcement mechanisms for sensitive web actions.
The platform supports scalability with parallel agents. Threats include cascading failures across parallel sessions, resource exhaustion, and potential trust abuse if parallel agents share session contexts or credentials.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.