Skyvern — agentic threat model
Skyvern presents a high-risk profile due to its combination of autonomous browser control, credential handling, and exposure to untrusted web content, making it highly susceptible to indirect prompt injection and session hijacking.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.80 | |
| Multi-Agent Interactions | 0.70 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Uses LLM and vision models to interpret web pages. Highly vulnerable to adversarial visual elements or text on target websites (indirect prompt injection) that can reprogram the agent's goal during a live session.
Not certain from the listing — No explicit details are provided regarding RAG, vector databases, or training data operations, though it dynamically processes live DOM and visual data from external web pages.
Executes multi-step browser workflows. Vulnerable to tool misuse where an attacker manipulates the browser automation tool to perform unauthorized actions (e.g., clicking malicious links or submitting forms) via prompt injection.
Supports cloud or self-hosted deployment. Operating live browser sessions introduces significant infrastructure risks, such as container escape or host compromise, if the browser environment is not strictly sandboxed.
Not certain from the listing — There is no mention of built-in guardrails, real-time monitoring, or logging mechanisms to detect and block anomalous or malicious browser actions.
Handles credentials and authenticated web sessions. This introduces severe risks of credential theft, session hijacking, and unauthorized data exfiltration if security policies and secure storage are not strictly enforced.
Exposes browser control to other agents via an MCP server. This creates a significant risk of agent-to-agent trust abuse, where a compromised or rogue downstream agent could exploit Skyvern to perform malicious web actions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).