AgentReadyHomeAgent Listing

← addto.me

addto.me — agentic threat model

9.4AIVSS 9.4 · Critical

addto.me acts as a highly privileged intermediary between public messaging channels (WhatsApp, Telegram) and sensitive enterprise/personal SaaS applications (Jira, Notion, Google Calendar). Its reliance on natural language and voice inputs combined with direct API write access presents a significant risk of prompt injection leading to unauthorized data modification or exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.85Factor sum 5.4/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.70
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.50
Contextual Awareness
0.70
Dynamic Identity
0.60
Multi-Agent Interactions
0.10
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — utilizes an unspecified 'reasoning AI model' to process natural language and voice. Threats include adversarial prompt injection via chat or voice transcripts, potentially hijacking the reasoning flow to trigger unauthorized tool actions.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — must handle and store OAuth tokens and user configuration data to access Notion, Jira, and Google Calendar. Threats include credential theft, data exfiltration from connected knowledge bases, and lack of clear data retention policies.

L3 · Agent Frameworks✓ mapped

The agent orchestrates multi-step workflows across diverse APIs (Jira, Notion, Calendly) based on user intent. Threats include insecure tool integration, tool misuse (e.g., deleting or modifying critical project tickets/pages via indirect injection), and lack of strict schema validation on tool inputs.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — hosted as a closed-source SaaS platform. Threats include host/container compromise, exposure of webhook endpoints handling WhatsApp/Telegram traffic, and insecure storage of API secrets.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no mention of guardrails, input filtering, or transaction logging. Threats include blind spots in detecting malicious commands embedded in voice messages or native chat replies.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — handles highly sensitive corporate and personal data across multiple platforms without explicit mention of compliance standards (e.g., SOC2, GDPR) or fine-grained authorization policies to restrict agent actions.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — primarily functions as a single-agent orchestrator connecting to third-party APIs. Threats are focused on API-to-API trust abuse rather than complex multi-agent cascading failures.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).