AgentReadyHomeAgent ListingPricing

← Onlook

Onlook — agentic threat model

6.4AIVSS 6.4 · Medium

Onlook is a local visual React editor with AI capabilities. Its primary risk lies in the potential for prompt injection or malicious AI-generated code to introduce vulnerabilities (like XSS or backdoors) directly into a developer's local codebase, which could then propagate to production via version control.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.55Factor sum 2.2/10Threat ×1.0Mitigation ×0.8
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.40
Persistent Memory
0.10
Contextual Awareness
0.50
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation models used by Onlook are not disclosed. The primary L1 threat is adversarial prompt injection that could manipulate the model into generating insecure React or Tailwind code.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — It is unclear how Onlook indexes the local codebase or if it utilizes a local vector database. However, because data remains local, the risk of external data exfiltration or cloud-based training data poisoning is minimized.

L3 · Agent Frameworks✓ mapped

The agent framework translates visual edits and AI prompts into local React code modifications. The main threat is tool misuse or insecure file-writing operations where the agent could overwrite critical configuration files or inject malicious scripts into the codebase.

L4 · Deployment & Infrastructure✓ mapped

Onlook runs locally in the developer's environment. While this protects data privacy, a compromise of the tool could lead to local privilege escalation or unauthorized file system access on the developer's workstation if the application lacks proper sandboxing.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, real-time code scanning, or observability tools to detect if the AI is generating insecure patterns or if the visual editor is being abused.

L6 · Security & Compliance (cross-cutting)✓ mapped

Onlook relies on the developer's local environment and version control (e.g., Git) for security and tracking. It does not advertise enterprise compliance certifications (like SOC2) but leverages local-first architecture as its primary security control.

L7 · Agent Ecosystem✓ mapped

Onlook operates as a standalone local developer tool. There are no multi-agent orchestrations or marketplace integrations described, making ecosystem-level cascading failures highly unlikely.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).

These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.