AgentReadyHomeAgent Listing

← browser-pilot

browser-pilot — agentic threat model

9.4AIVSS 9.4 · Critical

The browser-pilot agent presents a high-risk profile due to its capability to drive a real browser via CDP, exposing the host system to indirect prompt injection, SSRF, and local data exfiltration if not strictly sandboxed.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.58Factor sum 4.6/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.60
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.40
Multi-Agent Interactions
0.20
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — relies on Claude models via Claude Code; susceptible to prompt injection leading to unauthorized browser actions.

L2 · Data Operations✓ mapped

Handles untrusted external web data (scraping, crawling, screenshots) which can introduce malicious payloads, indirect prompt injection, or sensitive data exposure during capture.

L3 · Agent Frameworks✓ mapped

Orchestrated via Claude Code. High risk of tool misuse (CDP automation) where malicious inputs can force the browser to navigate to malicious sites, exfiltrate data, or perform CSRF attacks.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — likely runs locally on the user's machine where Claude Code is executed. If unsandboxed, CDP control of a local browser poses severe host compromise and local network access risks.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no built-in evaluation, guardrails, or observability features are mentioned for monitoring browser actions or detecting malicious navigation.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — lacks explicit authentication, authorization, or compliance controls. Relies entirely on the host environment's security posture.

L7 · Agent Ecosystem✓ mapped

Acts as a tool/plugin within the Claude Code ecosystem. Vulnerable to cascading failures if Claude Code is compromised or if other plugins interact maliciously with the browser session.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).