Dendrite — agentic threat model

9.6AIVSS 9.6 · Critical

Dendrite presents a high-risk profile due to its capabilities in web authentication, element interaction, and file transfers, which expose it to indirect prompt injection and credential theft. Without explicit sandboxing or strict policy guardrails, its ability to bypass bot detection and act on the live web significantly amplifies the potential for unauthorized actions.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

CVSS base 8.8AARS uplift 0.81Factor sum 6.1/10Threat ×1.1Mitigation ×1.0

Autonomy of Action		0.80
Goal-Driven Planning		0.70
Self-Modification		0.10
Dynamic Tool Use		0.90
Persistent Memory		0.40
Contextual Awareness		0.80
Dynamic Identity		0.90
Multi-Agent Interactions		0.20
Non-Determinism		0.70
Opacity & Reflexivity		0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Dendrite acts as a browser automation framework and does not specify its underlying foundation models, though it is highly vulnerable to adversarial prompt injection via web page content (indirect prompt injection) which could manipulate the underlying LLM's browsing decisions.

L2 · Data Operations✓ mapped

Dendrite extracts structured data and handles file downloads/uploads. Key threats include data exfiltration of sensitive extracted data, and data poisoning/malicious file uploads if the agent downloads malware or uploads sensitive credentials/data to untrusted sites.

L3 · Agent Frameworks✓ mapped

As a web-browsing framework, Dendrite's core risk lies in tool misuse and insecure tool integration. It allows agents to authenticate and interact with web elements, creating severe risks of unauthorized actions (e.g., financial transactions, form submissions) if the agent is manipulated.

L4 · Deployment & Infrastructure✓ mapped

Dendrite manages authentication on websites, meaning it handles highly sensitive user credentials and session cookies. Insecure storage of these secrets or lack of browser sandboxing could lead to credential theft, session hijacking, or host compromise via malicious downloads.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The directory does not mention built-in logging, session recording, or guardrails to monitor and audit the agent's browsing actions, which could lead to blind spots during unauthorized automated actions.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — There is no mention of compliance certifications (e.g., SOC2), role-based access control (RBAC), or policy enforcement mechanisms to restrict which domains the agent can authenticate against or interact with.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — Dendrite is a single-agent developer tool for web browsing and does not explicitly detail multi-agent orchestration or marketplace integrations, though it could be integrated into larger multi-agent systems.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).