Biel.ai — agentic threat model
Biel.ai is a low-autonomy, RAG-focused documentation assistant whose primary security risks lie in knowledge-base poisoning of its connected documentation sources and potential data exfiltration of sensitive internal wikis via prompt injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely relies on commercial third-party LLMs via API, exposing the system to standard foundation model threats like prompt injection, adversarial examples, and potential data leakage if inputs are used for model training.
Indexes external documentation sources including Confluence, Docusaurus, and Sphinx. This makes the agent highly vulnerable to RAG/knowledge-base poisoning if an attacker can modify the source documentation, leading to the AI serving malicious instructions or false information.
Uses Model Context Protocol (MCP) and API integrations for RAG as a service. Risks include insecure tool integration, prompt injection bypassing system instructions, and potential tool misuse if MCP servers are not properly sandboxed.
Not certain from the listing — as a closed-source SaaS with an embeddable widget, infrastructure security relies entirely on the vendor's hosting environment. Risks include widget-based XSS, unauthorized API access, and lack of tenant isolation in the vector database.
Provides real-time analytics and content gap insights. However, it is unclear if there are active guardrails or automated evaluations to detect adversarial prompt injections or hallucinated outputs in real-time.
Not certain from the listing — claims 'enterprise-grade security' but lacks specific compliance certifications (e.g., SOC 2, ISO 27001) or detailed access control mechanisms in the public description.
Supports Model Context Protocol (MCP) and API integrations, allowing it to act as a RAG service for other agents. This introduces risks of cascading failures or trust abuse if downstream agents consume poisoned documentation outputs.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).