AgentReadyHomeAgent Listing

← download-gemini-images

download-gemini-images — agentic threat model

8.9AIVSS 8.9 · High

This agent drives a local browser session using a logged-in Chrome state to extract and download images, presenting a high risk of session hijacking, local file system exposure, and unauthorized data exfiltration if compromised.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.1AARS uplift 0.78Factor sum 3.9/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.60
Goal-Driven Planning
0.40
Self-Modification
0.00
Dynamic Tool Use
0.70
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.80
Multi-Agent Interactions
0.00
Non-Determinism
0.30
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The agent relies on Gemini for the conversation context, but the specific underlying foundation model and its alignment controls are not detailed in this local browser-driving skill.

L2 · Data Operations✓ mapped

The agent extracts image data from active Gemini sessions and writes files directly to the local file system. This introduces risks of local data leakage, directory traversal, or writing malicious payloads to the host disk.

L3 · Agent Frameworks✓ mapped

The orchestration framework drives a browser session and interacts with the DOM. Insecure tool integration or DOM injection could allow an attacker to hijack the browser automation to perform unauthorized actions within the logged-in Google account.

L4 · Deployment & Infrastructure✓ mapped

The agent runs locally using the user's logged-in Chrome state. This lacks sandboxing, exposing the user's active session cookies, local storage, and local file system to potential compromise if the agent's code is malicious or exploited.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of logging, execution guardrails, or run-time monitoring to detect if the browser automation is steered toward unauthorized domains or sensitive user data.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent inherits the identity and active authentication state of the user's Chrome browser without additional authorization boundaries, violating the principle of least privilege by accessing the full Google/Gemini session.

L7 · Agent Ecosystem✓ mapped

As a community-contributed open-source skill, there is a risk of supply chain compromise or malicious updates in the repository, which could turn the browser-driving capability into a credential harvester.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).