AgentReadyHomeAgent Listing

← Free HEIC to PNG Converter

Free HEIC to PNG Converter — agentic threat model

2.6AIVSS 2.6 · Low

The Free HEIC to PNG Converter is a static, client-side utility with zero agentic capabilities, presenting negligible AI-specific security risks. Its primary threat vector is standard web application supply-chain compromise, such as malicious JavaScript injection.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 4.3AARS uplift 0.0Factor sum 0.0/10Threat ×0.9Mitigation ×0.6
Autonomy of Action
0.00
Goal-Driven Planning
0.00
Self-Modification
0.00
Dynamic Tool Use
0.00
Persistent Memory
0.00
Contextual Awareness
0.00
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.00
Opacity & Reflexivity
0.00

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — This tool does not appear to use any foundation models or LLMs; it is a standard programmatic image converter.

L2 · Data Operations✓ mapped

Runs entirely in the browser with no external data storage, RAG, or vector databases. Risk of data exfiltration is minimized as no files are uploaded to servers, though client-side supply chain attacks could compromise local data during processing.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — There is no agent framework, orchestration code, or tool-calling mechanism present; the application is a single-purpose utility.

L4 · Deployment & Infrastructure✓ mapped

Hosted as a static web application. Standard web security threats apply (e.g., CDN compromise, DNS hijacking, or malicious dependency injection), but there is no backend server, database, or container infrastructure to compromise.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No AI-specific evaluation, guardrails, or observability tools are mentioned or required for this deterministic utility.

L6 · Security & Compliance (cross-cutting)✓ mapped

No user accounts, authentication, or registration. Compliance risk is extremely low as no PII or user data is collected, stored, or transmitted, aligning naturally with privacy regulations like GDPR.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — The tool does not interact with any agent ecosystem, marketplaces, or external APIs.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).