AgentReadyHomeAgent Listing

← Chaty AI

Chaty AI — agentic threat model

9.1AIVSS 9.1 · Critical

Chaty AI presents a high-risk profile due to its direct integration with payment gateways and booking systems combined with public-facing voice interaction. The primary threat vector is voice-based prompt injection leading to unauthorized bookings, financial fraud, or PII leakage from call transcripts.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.65Factor sum 4.1/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.60
Self-Modification
0.00
Dynamic Tool Use
0.70
Persistent Memory
0.30
Contextual Awareness
0.50
Dynamic Identity
0.10
Multi-Agent Interactions
0.00
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on third-party speech-to-text, LLM, and text-to-speech models. Threats include voice-based prompt injection (vishing-style exploits) and model reprogramming via spoken instructions.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — processes real-time availability data, customer PII, and payment details. Threats include unauthorized access to call transcripts, data leakage of customer booking histories, and lack of clear data retention/sanitization policies for voice recordings.

L3 · Agent Frameworks✓ mapped

Orchestrates call routing, custom voice generation, and direct API integrations with Rezdy, Roller, Fareharbor, and Bookeo. Threats include insecure tool integration where malicious voice inputs trigger unauthorized API calls, booking modifications, or payment bypasses.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — operates on telephony and cloud hosting infrastructure. Threats include SIP trunk hijacking, insecure webhook endpoints connecting to booking platforms, and lack of network isolation between the voice processing unit and internal booking databases.

L5 · Evaluation & Observability✓ mapped

Provides call transcripts for monitoring. Threats include logging sensitive payment card data (PCI) or PII in plain text within transcripts, and a lack of real-time voice guardrails to detect and block adversarial injection attempts during live calls.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — handles booking and payment integrations but does not explicitly state compliance with PCI-DSS, SOC2, or GDPR. Threats include regulatory non-compliance regarding voice recording consent and insecure handling of financial transactions.

L7 · Agent Ecosystem✓ mapped

Integrates directly with external booking ecosystems (Rezdy, Roller, Fareharbor, Bookeo). Threats include cascading failures if downstream booking APIs are compromised, rate-limiting denial of service, and trust abuse where the agent acts as an authenticated insider within those platforms.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).