Replit Agent 3 — agentic threat model
Replit Agent 3 exhibits high agentic risk due to its deep autonomy, code execution capabilities, and ability to generate and deploy active sub-agents, requiring robust sandboxing and strict API permission boundaries.
OWASP AIVSS score rationale
| Autonomy of Action | 0.90 | |
| Goal-Driven Planning | 0.90 | |
| Self-Modification | 0.40 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.80 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The specific foundation models powering Agent 3 are not disclosed. Threats include prompt injection leading to malicious code generation or bypassing safety filters.
Not certain from the listing — The data operations and vector stores used for codebase context are not detailed. Threats include data exfiltration from integrated services like Notion or codebase context poisoning.
The agent framework orchestrates complex multi-step planning, browser-based testing, and self-healing code modification. Threats include tool misuse, where the agent executes destructive commands or introduces vulnerabilities during the autonomous testing and fixing phase.
The agent operates within Replit's autonomous runtime environment. Threats include container escape, privilege escalation within the workspace, and unauthorized outbound network connections initiated by the generated applications.
Not certain from the listing — While the agent performs browser-based testing of its own apps, the listing does not detail internal guardrails, logging, or security observability of the agent's actions.
Not certain from the listing — No specific compliance certifications (such as SOC2) or identity and access management controls are detailed in the public listing.
The agent supports 'agent generation' to build sub-agents and automations (e.g., Slack/Telegram bots). Threats include the creation of rogue or compromised sub-agents, cascading failures, and A2A trust abuse across generated integrations.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).