Droidrun — agentic threat model
Droidrun presents a high-risk profile due to its capability to translate natural language commands into direct physical actions on Android and iOS devices, creating a direct vector for device compromise if prompt injection or tool misuse occurs.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Droidrun acts as a framework and likely relies on external LLMs (e.g., OpenAI, Anthropic) or local models for natural language parsing, making it susceptible to prompt injection and adversarial reprogramming that could translate to malicious device commands.
Not certain from the listing — The framework's handling of device state, screenshots, or UI hierarchy data is not detailed, presenting risks of sensitive data exposure or exfiltration if device telemetry is sent to untrusted model endpoints.
Droidrun orchestrates LLM agents to control mobile OS environments. The primary threat is tool misuse and insecure tool integration, where malicious or hijacked natural language commands are translated into destructive device actions (e.g., deleting files, sending unauthorized messages).
The framework operates directly on Android and iOS devices or emulators. This presents severe risks of privilege escalation, host compromise, and unauthorized access to device APIs (ADB, accessibility services) if the execution environment is not strictly sandboxed.
Not certain from the listing — There is no mention of built-in guardrails, execution logging, or real-world monitoring to detect anomalous or malicious device commands before they are executed on the target OS.
Not certain from the listing — The open-source framework does not detail built-in authentication, authorization, or policy enforcement mechanisms to restrict which commands can be executed on the connected mobile devices.
Not certain from the listing — While it supports 'LLM agents', it is unclear if it facilitates multi-agent coordination or marketplace integrations, though rogue agents could theoretically gain control of the device interface.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).