Atoms — agentic threat model

9.6AIVSS 9.6 · Critical

Atoms presents a high agentic risk profile due to its multi-agent orchestration capabilities designed to generate and deploy full-stack applications (including sensitive components like auth and payments). The lack of explicit sandboxing or verification controls in the listing increases the potential for malicious code injection or tool abuse.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

CVSS base 8.5AARS uplift 1.1Factor sum 7.0/10Threat ×1.05Mitigation ×1.0

Autonomy of Action		0.80
Goal-Driven Planning		0.90
Self-Modification		0.40
Dynamic Tool Use		0.80
Persistent Memory		0.60
Contextual Awareness		0.70
Dynamic Identity		0.30
Multi-Agent Interactions		1.00
Non-Determinism		0.80
Opacity & Reflexivity		0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation models powering Atoms are not disclosed, though its lineage (MetaGPT/OpenManus) suggests reliance on advanced commercial LLMs. Risks include prompt injection bypassing system instructions and model-level vulnerabilities leading to misaligned code generation.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The data operations, vector stores, and RAG mechanisms used for market research and code generation are unspecified. Risks include knowledge-base poisoning if external market research sources are untrusted, potentially leading to malicious dependencies being recommended.

L3 · Agent Frameworks✓ mapped

Atoms is built on MetaGPT and OpenManus frameworks, orchestrating complex software development lifecycles. The primary threat is tool misuse and insecure tool integration, where the agent framework executes generated code or interacts with external APIs (like payment gateways) without sufficient isolation.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — While described as running 'in the browser', generating and deploying full-stack apps (backend, auth, payments) implies backend execution environments. If code execution is not strictly sandboxed, it poses severe risks of container compromise and host privilege escalation.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of observability, logging, or guardrails to monitor the multi-agent interactions. This creates a blind spot where malicious or anomalous agent behavior during code generation could go unnoticed.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No security compliance frameworks, access control policies, or identity management systems are detailed. The lack of explicit human-in-the-loop (HITL) approvals for code deployment represents a significant compliance and security gap.

L7 · Agent Ecosystem✓ mapped

Atoms operates a highly complex multi-agent ecosystem (researcher, PM, architect, engineer, SEO, analyst). This introduces severe risks of agent-to-agent trust abuse, cascading failures where one compromised agent (e.g., the researcher) poisons the downstream workflow (e.g., the engineer), and rogue behavior.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).