AgentReadyHomeAgent Listing

← Odysseus AI

Odysseus AI — agentic threat model

6.1AIVSS 6.1 · Medium

Odysseus AI presents a moderate risk profile, primarily driven by the ingestion of untrusted external data (PDFs and URLs) and the handling of sensitive user API keys (BYOK). While its current agentic autonomy is low, its roadmap towards autonomous MCP tools and email/calendar operations will significantly elevate its threat surface.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 6.5AARS uplift 0.74Factor sum 2.1/10Threat ×1.0Mitigation ×0.85
Autonomy of Action
0.20
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.20
Multi-Agent Interactions
0.00
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Utilizes external foundation models via OpenRouter routing (with optional BYOK). The primary threat is prompt injection embedded in ingested PDFs or URLs, which could hijack the model's reasoning or cause it to ignore system instructions.

L2 · Data Operations✓ mapped

Ingests PDFs, URLs, and notes to generate research briefs. Threats include data poisoning via malicious document uploads, SSRF during URL ingestion, and potential data exfiltration of sensitive research data if the workspace isolation is breached.

L3 · Agent Frameworks⚠ not certain from listing

Not certain from the listing — mentions a 'Research Agent Workflow with MCP Tools' and a roadmap for autonomous agents, but the underlying orchestration framework is unspecified. Threats include insecure tool execution and prompt injection via MCP tool inputs.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — claims an 'Isolated Workspace' and 'No Model Training on User Data', but details regarding containerization, network sandboxing for URL parsers, and secure storage of user-provided OpenRouter API keys are not disclosed.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — provides 'source-traceable research reports' allowing manual user verification of citations, but does not detail automated guardrails, output filtering, or security logging of agent actions.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — emphasizes privacy and data isolation, but lacks explicit details regarding enterprise access controls (RBAC, SSO), audit logging, or compliance certifications (e.g., SOC 2, GDPR).

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — roadmap mentions autonomous agents with email/calendar operations, but current ecosystem interactions are limited to OpenRouter API routing and local workspace tools.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).