AgentReadyHomeAgent Listing

← JobBuddy

JobBuddy — agentic threat model

5.8AIVSS 5.8 · Medium

JobBuddy is a low-risk, document-generation assistant focused on resume and cover letter creation. Its primary security risks center around the handling of sensitive personal identifiable information (PII) and potential indirect prompt injection via untrusted job descriptions.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 5.3AARS uplift 0.76Factor sum 1.7/10Threat ×0.95Mitigation ×0.95
Autonomy of Action
0.10
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.00
Persistent Memory
0.30
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.50
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely relies on third-party foundation models via API to generate text. Primary threats include prompt injection to bypass safety filters and model utility degradation from misaligned outputs.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — ingests highly sensitive user resume data and job descriptions. Threats include insecure parsing of user-uploaded document formats (PDF/DOCX) and potential data leakage of PII if data is used for model training.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — likely uses a simple linear pipeline rather than a complex agentic framework. The main threat is indirect prompt injection, where a malicious job description uploaded by a user manipulates the resume generator's instructions.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — presumably deployed as a standard cloud-hosted web application. Threats include typical web application vulnerabilities (OWASP Top 10), insecure session management, and lack of isolation during document processing.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no details are provided regarding output verification or guardrails. Threats include the generation of hallucinated or fabricated professional experience in resumes without user detection.

L6 · Security & Compliance (cross-cutting)✓ mapped

The listing explicitly asserts a 'Data Privacy Commitment' ensuring user data is secure and not shared with third parties. However, there is no mention of formal compliance frameworks (such as GDPR or SOC2) to validate these claims.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — JobBuddy operates as a standalone application with no indicated multi-agent orchestration or external ecosystem integrations.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).