AgentReadyHomeAgent Listing

← microsoft-docs

microsoft-docs — agentic threat model

5.3AIVSS 5.3 · Medium

The microsoft-docs agent is a low-risk, read-only utility skill focused on document retrieval. Its primary security risk is indirect prompt injection via poisoned documentation or the generation of misleading configuration advice that downstream systems or users might execute without verification.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 4.8AARS uplift 1.09Factor sum 2.2/10Threat ×0.95Mitigation ×0.9
Autonomy of Action
0.10
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.00
Multi-Agent Interactions
0.50
Non-Determinism
0.30
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — likely uses Azure OpenAI or similar Microsoft-hosted foundation models. Primary threats include prompt injection to bypass retrieval constraints or model reprogramming to output malicious instructions disguised as official documentation.

L2 · Data Operations✓ mapped

Queries official Microsoft documentation (Azure, .NET, M365, etc.). The primary threat is documentation-retrieval poisoning if an attacker can manipulate the source documentation or if the vector database/search index is compromised, leading to the delivery of malicious configuration advice.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — likely built on Semantic Kernel or AutoGen given the Microsoft ecosystem. Threats include insecure tool integration with the documentation search API and potential prompt injection via search results (indirect prompt injection).

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — presumably hosted within Microsoft's cloud infrastructure (Azure). Threats include unauthorized access to the search API endpoints and potential SSRF if the document retrieval mechanism can be coerced into querying arbitrary internal URLs.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no specific evaluation, logging, or guardrail mechanisms are detailed in the public directory listing. Gaps here could lead to undetected drift or silent failures in document retrieval accuracy.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — while it is an official Microsoft skill, specific compliance certifications (like SOC2, ISO) or identity/authorization controls for this specific agent are not detailed in the listing.

L7 · Agent Ecosystem✓ mapped

Designed as an 'Agent Skill' or utility agent. It is highly likely to be integrated into larger multi-agent systems or orchestrators to provide technical context. The primary threat is cascading trust abuse, where a compromised orchestrator uses this agent to retrieve misleading configuration data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).