AgentReadyHomeAgent Listing

← Basic Memory

Basic Memory — agentic threat model

7.5AIVSS 7.5 · High

Basic Memory introduces significant risk of persistent memory poisoning and local file system exposure by allowing agents to read and write markdown files directly on the host. Its agentic risk is driven by its persistent state across sessions, though mitigated by its lack of autonomous execution or dynamic tool-calling capabilities.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 1.36Factor sum 3.7/10Threat ×1.05Mitigation ×0.95
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.40
Dynamic Tool Use
0.30
Persistent Memory
0.90
Contextual Awareness
0.70
Dynamic Identity
0.10
Multi-Agent Interactions
0.30
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent relies on external LLMs via the Model Context Protocol (MCP). The primary threat is model reprogramming or prompt injection when poisoned notes from the local markdown knowledge graph are recalled into the active context window.

L2 · Data Operations✓ mapped

The core of this agent is local RAG and semantic memory. The primary threats are data poisoning of the local markdown files (which can alter future agent behavior) and lack of input validation on files read from the user's knowledge base, potentially leading to path traversal or unauthorized file access.

L3 · Agent Frameworks✓ mapped

The agent framework manages bidirectional note linking and persistent state. Memory poisoning is a critical threat here, as malicious or malformed notes can corrupt the semantic graph, leading to logic bypasses or unexpected tool execution in the orchestrating framework.

L4 · Deployment & Infrastructure✓ mapped

The agent runs locally as an MCP tool, reading and writing directly to the host disk. The main threat is directory traversal or arbitrary file write/read if the agent does not strictly sandbox its file operations to a designated workspace directory.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, logging, or anomaly detection to identify when poisoned notes are being injected into the knowledge graph or when unauthorized file paths are accessed.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The tool relies on the host environment's file permissions for access control. There are no explicit authentication or authorization mechanisms described to restrict which client applications or agents can read/write to the knowledge graph.

L7 · Agent Ecosystem✓ mapped

As an MCP tool, this agent is designed to be called by other agents. A compromised or malicious upstream agent could abuse this tool to exfiltrate sensitive local files or write malicious payloads into the user's persistent knowledge base.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).