AgentReadyHomeAgent ListingPricing

← Open Human

Open Human — agentic threat model

6.8AIVSS 6.8 · Medium

OpenHuman presents a unique risk profile: while its local-first, privacy-centric architecture significantly reduces cloud-based data exfiltration vectors, its deep integration with personal emails, messages, and notes combined with a multi-agent 'Council of Agents' architecture creates a high-impact surface for local memory poisoning and cross-agent trust abuse.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.8AARS uplift 1.21Factor sum 5.5/10Threat ×1.0Mitigation ×0.75
Autonomy of Action
0.40
Goal-Driven Planning
0.60
Self-Modification
0.30
Dynamic Tool Use
0.50
Persistent Memory
0.90
Contextual Awareness
0.80
Dynamic Identity
0.20
Multi-Agent Interactions
0.70
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation models used locally are not disclosed. Threats include model reprogramming or adversarial prompt injection via ingested local files, emails, or messages, which could manipulate the local LLM's behavior.

L2 · Data Operations✓ mapped

The agent builds a persistent knowledge base from highly sensitive personal data (emails, messages, notes) stored locally. The primary threat is local data/knowledge-base poisoning, where malicious incoming emails or messages inject adversarial context into the vector store, leading to persistent manipulation of the agent's memory.

L3 · Agent Frameworks✓ mapped

The framework orchestrates persistent memory and proactive intelligence. Threats include memory poisoning and insecure tool integration, particularly if the proactive intelligence engine automatically triggers actions or tool executions based on poisoned local context without explicit user confirmation.

L4 · Deployment & Infrastructure✓ mapped

The agent runs locally on-device ('no terminal, no API keys, no setup'). While this eliminates cloud hosting risks, it introduces local host compromise and privilege escalation threats if the application binary contains vulnerabilities or lacks proper sandboxing from other local processes.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of local evaluation, guardrails, or observability logging. The lack of visible guardrails creates a blind spot where poisoned local memory or malicious inputs can silently degrade agent behavior over time.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent emphasizes a 'privacy-first' and 'local/private data handling' posture, which aligns with data minimization principles. However, there is no mention of formal compliance frameworks (e.g., SOC2) or local access control mechanisms to prevent unauthorized local users from accessing the stored knowledge base.

L7 · Agent Ecosystem✓ mapped

The agent features a 'Council of Agents'. This multi-agent architecture introduces risks of agent-to-agent (A2A) trust abuse, where a single compromised or poisoned sub-agent within the council propagates malicious instructions or corrupted data to other agents, causing cascading failures in reasoning.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).

These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology — every score is re-derived by the same automated method as an agent's public evidence changes.