Letta — agentic threat model
Letta's primary risk lies in its advanced, persistent memory capabilities, which make it highly susceptible to long-term memory poisoning and state-manipulation attacks. As a deployment platform with REST APIs and tool-calling, a compromise could lead to widespread unauthorized tool execution and data exfiltration across managed agents.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.90 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 1.00 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.60 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — Letta is model-agnostic, meaning foundation model threats (adversarial examples, alignment) depend on the developer's choice of LLM, though Letta's stateful wrapper could inherit or amplify these risks.
Letta's core value is persistent, long-term memory management. This introduces significant risks of memory/knowledge-base poisoning, unauthorized data exfiltration from the stateful store, and embedding inversion.
As an agent development environment supporting tool calling and REST APIs, it is highly vulnerable to tool misuse, memory poisoning (e.g., prompt injection modifying the agent's core memory), and insecure tool integration.
Offers cloud deployment and REST APIs. Threats include container/host compromise of the hosted service, unauthorized API access, and lack of sandboxing for executed tools or Python SDK environments.
Promotes 'white box systems' and transparent memory, which aids observability. However, monitoring for drift, memory corruption, or adversarial manipulation of the state remains a critical gap if not explicitly configured.
Not certain from the listing — The listing does not detail specific enterprise compliance standards (like SOC2, ISO) or built-in RBAC/policy enforcement mechanisms for the hosted cloud service.
Designed to deploy and manage agents at scale. This creates risks of multi-agent trust abuse, cascading failures across stateful agents, and horizontal propagation of malicious memory states.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.