AgentReadyHomeAgent Listing

← Jan AI

Jan AI — agentic threat model

6.6AIVSS 6.6 · Medium

Jan AI presents a low inherent agentic risk due to its local-first, human-in-the-loop design, but its exposure of an OpenAI-compatible API server on local networks introduces potential host-compromise risks if malicious inputs or unauthorized API requests occur.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.8AARS uplift 0.51Factor sum 2.3/10Threat ×1.0Mitigation ×0.8
Autonomy of Action
0.10
Goal-Driven Planning
0.20
Self-Modification
0.10
Dynamic Tool Use
0.20
Persistent Memory
0.30
Contextual Awareness
0.30
Dynamic Identity
0.10
Multi-Agent Interactions
0.10
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Jan AI runs local models (such as GGUF formats) on user hardware. Primary threats include adversarial prompt injection that can bypass local system prompts, and the risk of users downloading backdoored or poisoned model weights from untrusted public repositories.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — While Jan AI prioritizes local data privacy, the listing does not detail its local RAG, document ingestion, or vector database capabilities, leaving potential gaps regarding local data poisoning or unauthorized local file access.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — Jan AI operates primarily as a model runner and API provider rather than an autonomous agent framework, meaning agentic threats like recursive planning or autonomous tool misuse are minimal unless driven by external connected applications.

L4 · Deployment & Infrastructure✓ mapped

Jan AI runs directly on personal computers and exposes an OpenAI-compatible API server. This creates a significant threat of unauthorized local network access to the API, potentially allowing remote attackers to exploit the host system if the API lacks strict binding and authentication controls.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — The description does not mention built-in guardrails, input/output filtering, or security observability tools, suggesting a reliance on the user to monitor and secure model interactions manually.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Although privacy-focused, it is unclear if Jan AI provides robust local multi-user authentication, role-based access controls, or audit logging for its exposed API server to meet enterprise compliance standards.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — There is no mention of an agent marketplace or multi-agent orchestration ecosystem, though its open API allows it to be integrated as a node within larger, potentially untrusted multi-agent deployments.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).