HeicToPng — agentic threat model
HeicToPng is a client-side utility rather than an active AI agent, presenting near-zero agentic risk. Its primary security boundary is the browser sandbox, with risks limited to traditional web application vulnerabilities like XSS or supply chain compromise of its open-source dependencies.
OWASP AIVSS score rationale
| Autonomy of Action | 0.00 | |
| Goal-Driven Planning | 0.00 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.00 | |
| Persistent Memory | 0.00 | |
| Contextual Awareness | 0.00 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.00 | |
| Opacity & Reflexivity | 0.00 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The tool does not appear to use a foundation model or LLM; it is a standard image format converter.
Not certain from the listing — No RAG, vector stores, or training data are used. Files are processed locally in the browser.
Not certain from the listing — There is no agent orchestration framework, planning, or tool-calling mechanism.
Runs entirely client-side in the user's browser. Threats include client-side vulnerabilities, malicious dependency injection (supply chain), or hosting provider compromise (XSS).
Not certain from the listing — No LLM evaluation or observability stack is mentioned or required for this static utility.
No user accounts, sign-up, or data collection. Compliance risk is extremely low as no PII or files are transmitted or stored.
Not certain from the listing — No multi-agent interactions or marketplace integrations exist.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).