ElizaOS — agentic threat model

9.7AIVSS 9.7 · Critical

ElizaOS is a highly autonomous, multi-agent framework with Web3 and multi-platform integrations, presenting a significant attack surface due to persistent memory (RAG), multi-agent trust assumptions, and potential financial or reputational impacts from blockchain and social media access.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

CVSS base 8.5AARS uplift 1.24Factor sum 7.5/10Threat ×1.1Mitigation ×1.0

Autonomy of Action		0.80
Goal-Driven Planning		0.70
Self-Modification		0.40
Dynamic Tool Use		0.80
Persistent Memory		0.90
Contextual Awareness		0.80
Dynamic Identity		0.70
Multi-Agent Interactions		0.90
Non-Determinism		0.80
Opacity & Reflexivity		0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — ElizaOS supports 'Flexible AI model support' but does not specify a default foundation model. Threats include adversarial prompt injection bypassing character constraints, or model reprogramming if local models are used.

L2 · Data Operations✓ mapped

ElizaOS features an 'Advanced RAG system for memory management'. This introduces risks of vector database poisoning, where malicious inputs are persisted into long-term memory, leading to persistent downstream exploitation or data exfiltration via RAG context.

L3 · Agent Frameworks✓ mapped

As a TypeScript-based orchestration framework, vulnerabilities in tool execution, character prompt parsing, or insecure state transitions could allow attackers to hijack agent planning or trigger unauthorized tool calls.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment infrastructure is managed by the user. However, running autonomous agents with Web3/blockchain capabilities and multi-platform integrations (Discord, Telegram) without strict sandboxing poses high host compromise and credential theft risks.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The framework's description does not detail built-in guardrails, evaluation suites, or observability logging, creating potential blind spots for detecting drift, prompt injection, or anomalous agent behavior.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — There is no mention of built-in compliance frameworks, role-based access control (RBAC), or audit logging for agent actions, which is critical given its target Web3 and multi-platform deployment environments.

L7 · Agent Ecosystem✓ mapped

ElizaOS explicitly supports a 'Multi-agent architecture'. This introduces threats of cascading failures, agent-to-agent trust abuse, and lateral movement where a single compromised agent compromises the entire multi-agent network.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).