Dori Chatbot — agentic threat model
Dori Chatbot is a low-to-medium risk conversational shopping assistant whose primary threats involve prompt injection leading to client-side XSS, manipulation of product recommendations, and potential integration abuses with connected e-commerce platforms.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The underlying LLM is not specified. Threats include prompt injection to bypass shopping guidelines, model reprogramming to recommend competitor products, or generating toxic outputs to shoppers.
The agent is 'trainable' on store data and integrates with major e-commerce platforms. Threats include data poisoning of the product catalog (e.g., injecting malicious links or false pricing into product descriptions) and unauthorized extraction of proprietary inventory data via conversational probing.
Orchestrates product discovery and platform integrations. Threats include insecure tool use where prompt injection manipulates API calls to the e-commerce backend, potentially leaking customer cart details or generating unauthorized discount codes.
Deployed as a sidebar widget, a public subdomain page, or social media link. Threats include subdomain takeover, Cross-Site Scripting (XSS) via the embedded widget on the host e-commerce site, and exposure of API keys used to connect to platforms like Shopify.
Not certain from the listing — No mention of real-time guardrails, output filtering, or drift monitoring. Lack of observability could allow persistent prompt injection attacks or brand-damaging hallucinations to go undetected.
Not certain from the listing — No explicit compliance certifications (e.g., PCI-DSS, GDPR) or robust authentication mechanisms are detailed for the admin dashboard or the widget itself.
Not certain from the listing — The chatbot operates primarily as a single-agent system interacting with human shoppers and e-commerce APIs, with no explicit multi-agent marketplace or delegation features mentioned.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).