AgentReadyHomeAgent Listing

← Search (UI-TARS)

Search (UI-TARS) — agentic threat model

9.6AIVSS 9.6 · Critical

This agent presents a high risk profile due to the combination of untrusted web content ingestion and coupled browser automation, which creates a direct pathway for indirect prompt injection to execute arbitrary on-page actions.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.75Factor sum 5.7/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.30
Contextual Awareness
0.80
Dynamic Identity
0.20
Multi-Agent Interactions
0.60
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

The agent relies on foundation models (via UI-TARS) that are highly susceptible to indirect prompt injection, as untrusted web search results and rendered page content are fed directly back into the model context, potentially reprogramming its behavior.

L2 · Data Operations✓ mapped

Data operations involve ingesting real-time, unvetted web data from multiple search engines. There is a severe risk of data poisoning and ingestion of malicious payloads embedded in web pages that can manipulate the agent's state.

L3 · Agent Frameworks✓ mapped

The framework couples search with browser automation tools. Insecure tool integration is a primary threat, where injected instructions from web pages can abuse the browser automation tool to perform unauthorized on-page actions.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The deployment environment requires robust sandboxing for the browser automation component to prevent container escape, local network probing, or host compromise from malicious web pages, but specific sandbox controls are not detailed.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — There is no mention of real-time guardrails, input/output filtering, or anomaly detection to identify when the browser automation tool is being manipulated by adversarial web content.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — The open-source tool lacks visible authentication, authorization policies, or execution boundaries to restrict what domains or actions the browser automation can interact with.

L7 · Agent Ecosystem✓ mapped

As part of the UI-TARS agent desktop stack, this agent interacts with other local tools and agents. A compromise of this search agent via web injection can cascade, allowing lateral movement to other agents in the UI-TARS ecosystem.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).