AgentReadyHomeAgent Listing

← Email AI Extractor

Email AI Extractor — agentic threat model

6.6AIVSS 6.6 · Medium

The Email AI Extractor is a low-autonomy utility agent focused on web scraping and data extraction. Its primary security risks stem from processing untrusted web content, which exposes it to indirect prompt injection and CSV injection vulnerabilities.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.8AARS uplift 0.76Factor sum 1.8/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.40
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.10
Contextual Awareness
0.30
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.30
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely utilizes a commercial or open-source LLM to parse unstructured text. The primary threat is indirect prompt injection, where malicious instructions embedded in a target website hijack the model's behavior during extraction.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — processes transient web data to generate CSV files. Threats include CSV injection (Formula Injection) if the agent extracts malicious payloads (e.g., '=cmd|' /C...') from websites and writes them unescaped into the output file.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — likely uses a basic scraping and file-writing orchestration framework. Threats include insecure tool integration if the scraping tool lacks limits on file sizes, redirect depth, or rate limits.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — could be deployed as a local CLI tool, browser extension, or hosted service. If hosted, it is highly vulnerable to Server-Side Request Forgery (SSRF) if users can force it to scrape internal network addresses.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no observability or guardrail mechanisms are mentioned. This creates a blind spot where malicious inputs or anomalous scraping behaviors go undetected.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — being open-source/freemium, it lacks explicit compliance controls. Mass scraping of email addresses presents significant regulatory risks under GDPR, CCPA, and CAN-SPAM regulations.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — operates as a standalone utility. Ecosystem risks are minimal unless integrated into automated downstream marketing or email-sending pipelines.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).