AgentReadyHomeAgent Listing

← ClearPact

ClearPact — agentic threat model

9.1AIVSS 9.1 · Critical

ClearPact acts as a critical financial intermediary for autonomous agents, introducing high systemic risk due to its direct handling of on-chain escrow and payments on Base mainnet. A compromise of its API or smart contracts could result in immediate, irreversible financial loss across the agent ecosystem.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.58Factor sum 3.7/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.70
Persistent Memory
0.30
Contextual Awareness
0.20
Dynamic Identity
0.40
Multi-Agent Interactions
0.80
Non-Determinism
0.10
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — ClearPact is described as an API/escrow infrastructure rather than hosting its own LLM. If it uses LLMs internally to validate payment conditions, they are vulnerable to prompt injection or mis-aligned outputs leading to unauthorized release of funds.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The listing focuses on on-chain transactions. Data operations likely involve tracking transaction states and wallet addresses. Vulnerabilities include transaction history tampering or metadata leakage.

L3 · Agent Frameworks✓ mapped

ClearPact provides the tool/integration layer for other agents. Vulnerabilities here include insecure API integration, where a compromised calling agent can trigger unauthorized escrow creation, funding, or settlement.

L4 · Deployment & Infrastructure✓ mapped

The infrastructure runs on Base (L2 blockchain) and hosts API endpoints. Vulnerabilities include smart contract bugs, private key exposure, or API gateway compromise leading to drained escrow accounts.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No details are provided on how ClearPact monitors transaction anomalies or logs malicious API calls. Gaps here could lead to undetected financial draining or exploitation of the escrow logic.

L6 · Security & Compliance (cross-cutting)✓ mapped

The service handles financial transactions (escrow) on-chain. Compliance risks include lack of KYC/AML controls for transacting agents, and security risks involve access control/authentication for the API keys managing the escrows.

L7 · Agent Ecosystem✓ mapped

ClearPact is a critical horizontal node in the agent ecosystem, enabling agent-to-agent (A2A) commerce. A compromise here could cause cascading failures across all dependent AI agents, leading to systemic financial losses.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).