Supermemory — agentic threat model
Supermemory acts as a centralized, cross-agent memory hub, making it a high-value target for indirect prompt injection and memory poisoning attacks that can propagate across the entire connected agent ecosystem.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.80 | |
| Dynamic Tool Use | 0.10 | |
| Persistent Memory | 1.00 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.80 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — the underlying LLM or embedding models used for memory synthesis and retrieval are not specified, but they remain vulnerable to adversarial prompt injection via poisoned memories.
The core of Supermemory is its vector store/database. Threats include data poisoning (injecting malicious memories) and data exfiltration (unauthorized agents reading sensitive memories).
As an MCP memory tool, it is highly vulnerable to memory poisoning. Malicious agents can write poisoned memories that are later re-injected into other agents' prompts, causing indirect prompt injection.
Not certain from the listing — the hosting environment (cloud vs. local MCP host) is not detailed, but insecure local MCP setups could expose the memory endpoint to local privilege escalation.
Not certain from the listing — there is no mention of guardrails, input sanitization, or anomaly detection to filter out poisoned or malicious memory writes.
Not certain from the listing — access control policies (AuthZ) between different agents writing to the same memory pool are not defined, posing a risk of cross-tenant or cross-agent data leakage.
Highly vulnerable to multi-agent trust abuse. A single compromised or rogue agent can write malicious payloads to the shared memory, which are then propagated to and executed by other trusted agents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).