AgentReadyHomeAgent Listing

← Cipher

Cipher — agentic threat model

8.9AIVSS 8.9 · High

Cipher presents a high agentic risk due to its core function of cross-session, multi-agent shared persistent memory, which creates a highly fertile vector for indirect prompt injection and cascading memory poisoning attacks across an entire agent ecosystem.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 1.39Factor sum 5.3/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.30
Goal-Driven Planning
0.20
Self-Modification
0.80
Dynamic Tool Use
0.20
Persistent Memory
1.00
Contextual Awareness
0.80
Dynamic Identity
0.10
Multi-Agent Interactions
0.80
Non-Determinism
0.50
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Cipher acts as an MCP memory tool and does not specify the underlying foundation model used for embeddings or reasoning, but it is highly vulnerable to prompt injection via recalled memories re-entering the prompt.

L2 · Data Operations✓ mapped

Cipher relies heavily on vector databases and embeddings for persistent memory. The primary threat is vector database poisoning and embedding inversion, where malicious memories are injected to corrupt the semantic space or exfiltrate sensitive historical context.

L3 · Agent Frameworks✓ mapped

As an MCP-based memory framework, it is highly susceptible to memory poisoning. Malicious inputs stored in the vector database are later recalled into the agent's prompt context, leading to indirect prompt injection and hijacking of the orchestration flow.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment architecture (local MCP host vs. cloud vector database) is unspecified, but insecure local MCP daemon configurations or unencrypted vector database connections could expose the memory store to unauthorized local access.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of built-in guardrails, memory sanitization, or anomaly detection to flag poisoned memories or unusual retrieval patterns before they are injected back into the agent's context.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The description explicitly flags 'access scoping' as a key security consideration, indicating a lack of robust, built-in multi-tenant isolation or role-based access control (RBAC) for shared team memories.

L7 · Agent Ecosystem✓ mapped

Highly relevant due to 'shared team workspace memory over MCP'. A single compromised agent can poison the shared memory space, leading to cascading trust abuse and lateral movement/exploitation of all other agents connected to the same workspace.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).