AgentReadyHomeAgent Listing

← Carly AI

Carly AI — agentic threat model

9.5AIVSS 9.5 · Critical

Carly AI presents a high-risk profile due to its deep integration with sensitive communication channels (email, CRM, calendar) and its susceptibility to indirect prompt injection via incoming emails, which could trigger unauthorized tool execution across 120+ integrations.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.96Factor sum 6.1/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.60
Contextual Awareness
0.80
Dynamic Identity
0.60
Multi-Agent Interactions
0.40
Non-Determinism
0.60
Opacity & Reflexivity
0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on third-party foundation models to parse emails and draft responses. The primary threat is indirect prompt injection, where malicious instructions embedded in incoming emails hijack the model's behavior.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — processes highly sensitive user data including emails, calendar events, CRM records, and invoices. Gaps in data isolation or lack of encryption for cached email content could lead to severe data exfiltration.

L3 · Agent Frameworks✓ mapped

The agent framework orchestrates complex workflows across 120+ integrations. Insecure tool integration is a critical threat, as an injected prompt could abuse tools to delete CRM records, send unauthorized emails, or exfiltrate files.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — operates as a closed-source SaaS. The infrastructure must securely store and manage API keys/OAuth tokens for 120+ integrations; credential theft or host compromise would grant attackers access to connected user accounts.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no mention of guardrails or real-time monitoring. Without robust observability, unauthorized actions triggered by malicious emails (such as modifying invoices or CRM data) could go undetected.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — despite operating in highly regulated sectors like Healthcare and Education, there is no explicit mention of compliance standards (e.g., HIPAA, FERPA, SOC2) or fine-grained authorization policies.

L7 · Agent Ecosystem✓ mapped

Supports the creation of 'custom agents' and integrates with a vast ecosystem of external services. This introduces risks of cascading failures and trust abuse if custom agents inherit broad permissions or interact insecurely with third-party APIs.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).