rtrvr.ai — agentic threat model
rtrvr.ai is a high-risk browser-based agent that inherits the user's active session permissions to autonomously navigate the web and trigger external tools. Its primary risk vector is indirect prompt injection from untrusted web content, which could lead to unauthorized data exfiltration or malicious API execution.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.70 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely relies on commercial LLMs (e.g., OpenAI, Anthropic) for function calling and extraction. The primary threat is indirect prompt injection, where malicious instructions embedded in web pages hijack the model's behavior.
Not certain from the listing — extracts structured data dynamically from web pages. Threats include data exfiltration of sensitive browser-accessible data and poisoning of the extracted data stream.
Orchestrates web navigation and tool integration (e.g., Slack) via AI Function Calling. The main threat is insecure tool integration, where an LLM is tricked into executing unauthorized API calls with user credentials based on untrusted web inputs.
Deployed as a Chrome extension. This architecture poses risks of extension-level compromise, local storage exposure, and the potential to abuse the extension's broad permissions to read and modify page content.
Not certain from the listing — no mention of guardrails, logging, or observability frameworks to monitor agent actions or detect anomalous web navigation and API calls.
Not certain from the listing — no security certifications or compliance alignments are mentioned. The agent implicitly inherits the user's active browser session identities and permissions without explicit boundary controls.
Not certain from the listing — operates primarily as a single-agent browser assistant. While it integrates with external APIs like Slack, there is no evidence of a multi-agent ecosystem or marketplace interactions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.