AgentReadyHomeAgent ListingPricing

← MyPolicyReview.ai

MyPolicyReview.ai — agentic threat model

8.0AIVSS 8.0 · High

MyPolicyReview.ai presents low agentic risk due to its passive, analysis-oriented nature, but poses significant data privacy and integrity risks because it processes highly sensitive personal and financial insurance documents via uploaded PDFs.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.5Factor sum 2.0/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.10
Persistent Memory
0.30
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on third-party or open-source LLMs to parse and interpret complex policy language. The primary threat is prompt injection embedded within uploaded PDFs (indirect prompt injection) which could manipulate the model's assessment of exclusions or limits, or cause it to hallucinate coverage gaps.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — requires a data ingestion pipeline to process uploaded PDFs and potentially store them for renewal tracking. Threats include unauthorized access to stored policy documents containing sensitive PII and asset details, as well as potential data leakage if the uploaded data is used to train or fine-tune underlying models.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — likely uses a basic document-processing orchestration framework rather than an advanced agentic loop. The main threat is insecure integration with PDF parsing tools, which could be exploited via malicious PDF files to execute arbitrary code or bypass extraction logic.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — hosted as a freemium web application. Vulnerabilities could exist in the web server hosting the platform, the PDF parsing sandbox (or lack thereof), and the storage buckets where uploaded policies are kept.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of automated guardrails or evaluation frameworks to verify the accuracy of the AI's policy analysis, creating a risk of undetected hallucinations regarding critical policy exclusions.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — despite handling highly sensitive financial, residential, and personal data contained in insurance policies, no compliance standards (such as SOC2, ISO 27001, or GDPR-compliant data deletion policies) are specified.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — currently operates as a standalone horizontal tool with no described multi-agent interactions or external ecosystem integrations.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).

These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.