AgentReadyHomeAgent Listing

← AI Browser

AI Browser — agentic threat model

9.3AIVSS 9.3 · Critical

AI Browser presents a high-risk profile due to its ability to autonomously interact with arbitrary websites, making it highly susceptible to indirect prompt injection and unauthorized actions if session credentials are exposed. The inclusion of community-built agents further amplifies ecosystem risks without visible sandboxing or verification controls.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.82Factor sum 5.2/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.30
Contextual Awareness
0.60
Dynamic Identity
0.50
Multi-Agent Interactions
0.20
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on commercial vision-language or frontier LLMs optimized for web navigation. Highly vulnerable to adversarial examples and indirect prompt injection embedded in web page DOMs.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — primarily acts on transient DOM data and user-provided prompts rather than a persistent vector database, though extracted data could be vulnerable to exfiltration during transit.

L3 · Agent Frameworks✓ mapped

Translates high-level prompts into browser actions (clicking, typing, form submission). High risk of tool misuse and execution of unintended actions if the agent is manipulated by malicious web content (indirect prompt injection).

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — requires robust containerization and network sandboxing (e.g., secure Puppeteer/Playwright instances) to prevent the browser agent from accessing local network resources or escaping the host.

L5 · Evaluation & Observability✓ mapped

Provides a 'Live view browser agent' allowing real-time visual observability for users, but lacks explicit automated guardrails or anomaly detection to block harmful actions before they execute.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — no details are provided regarding session isolation, secure credential storage for website logins, or compliance with data privacy standards.

L7 · Agent Ecosystem✓ mapped

Supports 'Community built browser agents', creating a marketplace risk where users may execute untrusted, malicious, or poorly constructed agent templates that exfiltrate data or perform unauthorized actions.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).