ChatGPT Atlas — agentic threat model
ChatGPT Atlas presents a high-risk profile due to its deep integration into the user's browser, enabling it to read visited pages and execute actions (like shopping or task completion) using active user sessions, which exposes it heavily to indirect prompt injection and session hijacking.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.85 | |
| Persistent Memory | 0.70 | |
| Contextual Awareness | 0.90 | |
| Dynamic Identity | 0.70 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely powered by OpenAI's proprietary GPT-4 series models. The primary model-level threat is indirect prompt injection, where malicious instructions embedded in visited web pages hijack the model's behavior.
Processes active page content and utilizes 'browser memory'. Threats include memory poisoning (where malicious web content permanently corrupts the agent's long-term context) and the exfiltration of sensitive user data extracted from web pages.
Features an 'agent mode' capable of executing multi-step tasks like shopping and researching. Threats include tool misuse and insecure tool integration, where the agent is manipulated into performing unintended transactions or form submissions on active websites.
Deployed as a native macOS application. Key threats include sandbox escapes from the browser environment to the host macOS system, and insecure local storage of session tokens, history, or browser memory.
Not certain from the listing — no details are provided regarding real-time monitoring, guardrails, or logging of agent actions. A lack of observability could allow malicious actions taken by the agent mode to go undetected by the user.
Includes privacy controls such as incognito mode, site permissions, and history clearing. Threats include the bypass of site-specific permissions, accidental leakage of incognito session data into the persistent AI memory, and compliance violations regarding automated processing of personal data.
Not certain from the listing — no explicit multi-agent or marketplace features are described. The primary ecosystem threat would be future integrations with third-party web services or extensions that introduce cascading trust vulnerabilities.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).