AgentReadyHomeAgent ListingPricing

← NineFengShui

NineFengShui — agentic threat model

4.6AIVSS 4.6 · Medium

NineFengShui is a low-risk, highly structured vertical AI assistant focused on floor plan analysis and PDF report generation. Its primary security risks are limited to client-side privacy leaks, insecure PDF generation, and standard web application vulnerabilities rather than autonomous agentic threats.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 4.3AARS uplift 0.81Factor sum 1.5/10Threat ×0.95Mitigation ×0.9
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.10
Persistent Memory
0.20
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on a third-party LLM API to generate feng shui insights based on structured layout inputs. Risks include prompt injection that could manipulate the generated remedies or cause the model to output inappropriate content.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — the app processes user-provided floor plans and layout metadata. While it highlights 'privacy-friendly local floor plan tracing', the structured layout data must still be sent to the backend/LLM, posing potential privacy risks if not handled securely.

L3 · Agent Frameworks✓ mapped

The application uses a highly structured, guided wizard workflow rather than an autonomous agent framework. The orchestration risk is very low, primarily limited to ensuring user inputs are properly sanitized before being passed to the LLM and PDF generator.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — likely hosted on standard cloud infrastructure. A key technical risk at this layer is the PDF generation engine, which can be vulnerable to Server-Side Request Forgery (SSRF) or local file inclusion if user-supplied HTML/CSS is not sanitized.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of guardrails, output validation, or observability tools to monitor the quality and safety of the generated feng shui advice.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — no formal compliance certifications (such as SOC2 or GDPR) are mentioned, though the tool emphasizes local tracing to address user privacy concerns.

L7 · Agent Ecosystem✓ mapped

The tool operates as a standalone vertical application with no multi-agent coordination, marketplace integrations, or external ecosystem dependencies described.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).

These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.