AgentReadyHomeAgent ListingPricing

← Kohala

Kohala — agentic threat model

8.5AIVSS 8.5 · High

Kohala is an agent-building and operations platform with high inherent risk due to its capability to design and deploy autonomous workflows across scored data sources. A compromise of the platform could lead to widespread downstream agent manipulation and data exposure.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.93Factor sum 5.9/10Threat ×1.05Mitigation ×0.9
Autonomy of Action
0.70
Goal-Driven Planning
0.80
Self-Modification
0.30
Dynamic Tool Use
0.60
Persistent Memory
0.50
Contextual Awareness
0.70
Dynamic Identity
0.40
Multi-Agent Interactions
0.60
Non-Determinism
0.70
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The specific foundation models utilized by Kohala's builder (Kai) are not disclosed. Threats include model misalignment, prompt injection, or model-level vulnerabilities affecting the generated agents.

L2 · Data Operations✓ mapped

Kohala features 'data source scoring' and 'Koans' to keep outputs live and current. This introduces risks of data/knowledge-base poisoning of the scored sources, unauthorized data exfiltration via live outputs, and lack of data lineage tracking.

L3 · Agent Frameworks✓ mapped

As an orchestration platform with an 'Approve & Build' flow, Kohala manages agent planning and execution. Threats include insecure tool integration, memory poisoning within the built agents, and logic flaws in the autonomous workflows designed by Kai.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting, sandboxing, and execution environment for the built agents are not detailed. Threats include container escape, privilege escalation, or lateral movement if agents run in shared environments.

L5 · Evaluation & Observability✓ mapped

Kohala provides 'agent operations' and 'data source scoring', indicating built-in monitoring capabilities. However, there are risks of evaluation gaming, blind spots in agent execution logs, and drift detection gaps in live outputs.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No specific compliance certifications (such as SOC2 or ISO), identity management, or access control policies are detailed in the public directory listing.

L7 · Agent Ecosystem✓ mapped

Kohala operates as an agent ecosystem platform where multiple agents can be designed and run. This creates threats of cascading failures across built agents, unauthorized inter-agent communication, and trust abuse between different workflows.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).

These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.