Careery — agentic threat model
Careery exhibits high agentic risk due to its continuous background execution, direct integration with external email and ATS systems, and the authority to act on behalf of users (submitting applications and triaging emails) without mandatory human-in-the-loop validation.
OWASP AIVSS score rationale
| Autonomy of Action | 0.90 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.70 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.90 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.70 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely relies on commercial LLMs for parsing resumes and matching job descriptions. Main threats include prompt injection embedded in job postings or ATS forms, which could hijack the agent's logic during automated browsing.
Not certain from the listing — stores user resumes, cover letters, and application history. Threats include unauthorized access or exfiltration of highly sensitive PII, and potential data poisoning if malicious job descriptions are ingested into the matching database.
The agent orchestrates multi-step workflows including job discovery, form filling on external ATS portals, and email triage. Threats include tool misuse, where the browser automation tool is manipulated into submitting malicious payloads to ATS portals or misinterpreting critical recruiter emails.
Not certain from the listing — operates as a web-based SaaS. Threats include compromise of the infrastructure hosting the browser automation workers, leading to the exposure of session tokens, email credentials, or API keys used to access ATS systems.
Not certain from the listing — provides application tracking and credit management. Threats include a lack of real-time observability into the browser automation steps, creating blind spots where the agent might submit incorrect data or fail silently on complex portals.
The agent acts as a proxy for the user's identity, handling sensitive PII and email access. Threats include inadequate authorization boundaries, lack of granular user consent for specific applications, and compliance risks under GDPR/CCPA regarding automated job application submissions.
Interacts directly with external third-party ecosystems (Workday, Greenhouse, Jobvite, and email servers). Threats include trust abuse, where external platforms treat the agent's automated actions as legitimate user actions, potentially leading to IP blocking, account suspension, or the agent being used to distribute spam.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).