AgentReadyHomeAgent Listing

← OpenAI Realtime Agents

OpenAI Realtime Agents — agentic threat model

7.7AIVSS 7.7 · High

OpenAI Realtime Agents is a high-exposure prototyping framework for multi-agent voice applications, where the primary risks stem from real-time audio prompt injection, insecure local container orchestration, and potential exposure of credentials stored in its built-in secret store.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.1AARS uplift 1.01Factor sum 5.3/10Threat ×1.0Mitigation ×0.85
Autonomy of Action
0.50
Goal-Driven Planning
0.60
Self-Modification
0.20
Dynamic Tool Use
0.50
Persistent Memory
0.30
Contextual Awareness
0.70
Dynamic Identity
0.30
Multi-Agent Interactions
0.80
Non-Determinism
0.80
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Uses OpenAI's Realtime API (typically GPT-4o). Highly vulnerable to real-time audio prompt injection, voice-based adversarial inputs, and model reprogramming via interactive voice streams.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The repository does not explicitly detail its RAG or vector database integrations, but voice agents typically require low-latency data retrieval, making them susceptible to data poisoning or unauthorized data exfiltration if connected to external knowledge bases.

L3 · Agent Frameworks✓ mapped

Orchestrates multi-agent voice interactions. Threats include insecure tool integration, session hijacking, and voice-based prompt injection bypassing orchestration logic to execute unauthorized tools.

L4 · Deployment & Infrastructure✓ mapped

Supports multiple OS, containerization, and multi-container testing. Threats include container escape, insecure secret storage in the 'built-in secret store', and host compromise during local testing.

L5 · Evaluation & Observability✓ mapped

Features 'live logs with color and emoji'. Threats include log injection (adversarial voice inputs writing malicious payloads to logs) and lack of automated guardrails or drift detection in the default prototyping setup.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No formal compliance certifications (e.g., SOC2, ISO) or robust identity/access management policies are mentioned, which is typical for open-source prototyping frameworks.

L7 · Agent Ecosystem✓ mapped

Explicitly designed for 'multi-agent realtime voice applications'. Threats include agent-to-agent trust abuse, cascading failures across containers, and rogue agents executing unauthorized actions on behalf of other agents.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).