AgentReadyHomeAgent Listing

← MermaidViewer

MermaidViewer — agentic threat model

6.7AIVSS 6.7 · Medium

MermaidViewer exhibits low agentic risk due to its highly constrained, human-in-the-loop workflow focused on diagram generation. Primary risks stem from traditional web application vulnerabilities (such as XSS in Mermaid rendering or SSRF in export tools) and prompt injection, rather than autonomous agentic behavior.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.5AARS uplift 0.38Factor sum 1.5/10Threat ×1.0Mitigation ×0.85
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.20
Persistent Memory
0.20
Contextual Awareness
0.20
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.40
Opacity & Reflexivity
0.20

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Uses GPT-4 ('GPT-4 magic') to translate text into Mermaid code. Threats include prompt injection to bypass system instructions, generating malicious script payloads embedded in Mermaid syntax, and potential model denial of service through complex rendering requests.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The tool processes user-provided text descriptions to generate diagrams but does not explicitly mention RAG, vector databases, or long-term knowledge bases. The primary data threat is the exfiltration of proprietary system architectures described by users.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — The orchestration appears to be a direct translation pipeline rather than a complex agentic framework. The main threat at this layer is insecure tool integration, specifically how the LLM-generated Mermaid code is passed to the rendering engine without sanitization.

L4 · Deployment & Infrastructure✓ mapped

The application supports private deployment via Docker and exports files to SVG, PNG, and PDF. Threats include container escape, insecure Docker configurations, and server-side request forgery (SSRF) or local file inclusion (LFI) within the PDF/image rendering engines.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of LLM guardrails, input/output filtering, or observability logging. This creates a blind spot where malicious prompt injections or attempts to exploit the rendering engine may go undetected.

L6 · Security & Compliance (cross-cutting)✓ mapped

Features role-based access controls (RBAC) and private deployment options. Threats include broken object-level authorization (BOLA) within the real-time team collaboration features, allowing unauthorized users to view or edit sensitive system diagrams.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — The agent operates as a standalone productivity tool without an active multi-agent ecosystem or marketplace integration. Ecosystem threats are currently negligible.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).