AgentReadyHomeAgent Listing

← Chroma

Chroma — agentic threat model

7.6AIVSS 7.6 · High

Chroma is an AI-native vector database serving as a critical memory and RAG infrastructure component rather than an active agent. Its primary security risks lie in data operations (L2), specifically database poisoning and unauthorized data exfiltration, which can indirectly compromise the downstream agents relying on its embeddings.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.53Factor sum 2.1/10Threat ×1.0Mitigation ×0.95
Autonomy of Action
0.00
Goal-Driven Planning
0.00
Self-Modification
0.10
Dynamic Tool Use
0.00
Persistent Memory
0.90
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.20
Non-Determinism
0.20
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Chroma is a vector database that integrates with external embedding models (like OpenAI or Hugging Face) rather than hosting its own foundation models, making L1 threats dependent on the chosen external provider.

L2 · Data Operations✓ mapped

Chroma is a vector database handling embeddings and metadata. Key threats include data/knowledge-base poisoning (injecting malicious embeddings to hijack downstream RAG outputs), embedding inversion (reconstructing sensitive raw text from stored embeddings), and unauthorized data exfiltration via query manipulation.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — Chroma provides the memory/retrieval layer for agent frameworks but does not orchestrate agent planning or tool execution itself; framework-level vulnerabilities depend on the orchestrator (e.g., LangChain, AutoGen) integrating Chroma.

L4 · Deployment & Infrastructure✓ mapped

Chroma can be deployed locally via SDK or hosted in a private-preview managed cloud. Threats include container/host compromise, unauthorized API access to the database port, and lack of network isolation between tenant namespaces in cloud deployments.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — Chroma focuses on storage and retrieval performance rather than built-in LLM evaluation or guardrails, meaning observability of retrieval quality or drift must be handled by external monitoring tools.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — As an open-source project with a private-preview cloud, built-in enterprise security controls (like RBAC, fine-grained access control, and compliance certifications) are not detailed in the basic listing and are typically self-managed in local deployments.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — Chroma acts as a shared memory resource but does not natively manage multi-agent coordination or marketplace interactions, though compromised shared databases can lead to cross-agent data contamination.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).