Do Browser — agentic threat model
Do Browser acts as a high-risk agent due to its execution environment as a Chrome extension with direct DOM access, making it highly susceptible to indirect prompt injection from untrusted web pages that could lead to unauthorized actions or data exfiltration.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.70 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying foundation model is unspecified. However, because the agent processes arbitrary web page content, it is highly vulnerable to indirect prompt injection and adversarial manipulation embedded in web pages.
Not certain from the listing — It is unclear how DOM data, form inputs, or user commands are stored, cached, or transmitted. The primary threat is the accidental exfiltration or exposure of sensitive user data extracted during web tasks.
The agent framework translates natural language into browser actions (navigation, form filling, clicking). The main threat is tool misuse, where malicious web page structures trick the agent's planning mechanism into executing unintended actions like submitting forms with sensitive data to third parties.
Deployed as a Chrome extension. Threats include extension-level vulnerabilities such as Cross-Site Scripting (XSS) in the extension's UI, insecure local storage of session tokens or API keys, and potential privilege escalation within the browser sandbox.
Not certain from the listing — There is no mention of real-time monitoring, guardrails, or audit logging of the actions the AI takes on behalf of the user, creating a significant blind spot for unauthorized or erroneous actions.
Not certain from the listing — No security compliance certifications (e.g., SOC2), enterprise access controls, or data governance policies are specified for this free, closed-source tool.
Not certain from the listing — The agent appears to operate as a standalone browser assistant with no described multi-agent coordination or ecosystem marketplace integrations.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).