Formtorch — agentic threat model
Formtorch is a traditional serverless form backend rather than an active AI agent, presenting minimal agentic risk. Its primary security posture revolves around standard web API security, data privacy (PII handling), and secure management of third-party integration secrets.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.00 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.20 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.00 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.00 | |
| Opacity & Reflexivity | 0.00 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Formtorch is described as a serverless form backend and does not explicitly mention using foundation models or LLMs. If AI is used for spam protection, it faces standard model evasion or adversarial bypass threats.
Not certain from the listing — The platform stores and processes form submission data (PII, user inputs) but does not indicate the use of vector databases, RAG, or AI data pipelines. Traditional data exfiltration and injection via form fields are the primary risks.
Not certain from the listing — There is no evidence of an agentic orchestration framework (like LangChain or AutoGPT). The system uses deterministic routing and webhooks rather than LLM-based tool calling.
Formtorch runs on serverless infrastructure to handle API submissions. Key threats include API endpoint abuse, denial of service (DoS) on form endpoints, and potential exposure of integration secrets (Slack, Notion, Zapier tokens) stored on the platform.
Not certain from the listing — No AI-specific evaluation, guardrails, or LLM observability tools are mentioned. Standard API logging and submission monitoring are likely present but unverified.
The platform handles user submissions (potentially containing PII) and integrates with third-party services. Compliance risks include GDPR/CCPA violations if sensitive data is stored without consent, and lack of explicit mention of SOC2 or advanced encryption standards.
Not certain from the listing — Formtorch does not operate within an AI agent ecosystem or marketplace. Its integrations (Zapier, Make) are standard webhooks rather than autonomous agent-to-agent collaborations.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.