AgentReadyHomeAgent Listing

← Cloudairy

Cloudairy — agentic threat model

7.1AIVSS 7.1 · High

Cloudairy presents a low-to-moderate agentic risk profile, acting primarily as an AI-assisted collaborative whiteboard and project management tool. The primary security concerns center around data privacy, prompt injection affecting canvas content, and standard web application vulnerabilities rather than autonomous agent actions.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.3AARS uplift 0.78Factor sum 2.1/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.10
Persistent Memory
0.50
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.10
Non-Determinism
0.40
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on external APIs (e.g., OpenAI) to categorize and brainstorm. Primary threats include prompt injection manipulating diagram structures or generating misleading content on the canvas.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — requires storage of user-generated mind maps, diagrams, and project data. Risks include unauthorized access to proprietary intellectual property stored on canvases or data leakage via shared workspaces.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — orchestration is likely limited to translating LLM outputs into structured canvas elements (nodes, connections). Risks include insecure handling of structured JSON/XML payloads representing diagrams.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — deployed as a collaborative SaaS platform (with an open-source option). Key threats include cross-tenant data isolation failures and insecure WebSocket connections used for real-time collaboration.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no mention of content filtering or guardrails for AI-generated suggestions. Lack of observability could allow malicious prompt injections to go undetected in collaborative sessions.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — requires robust access control (RBAC) to manage workspace permissions. Vulnerabilities like Broken Object Level Authorization (BOLA) could expose private project boards to unauthorized users.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — primarily focuses on human-to-human collaboration with AI assistance. Minimal risk of multi-agent cascading failures unless integrated with external third-party productivity APIs.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).