MXGo.AI — agentic threat model
MXGo.AI presents a high-risk profile due to its deep integration with user email systems (reading, writing, and processing attachments) combined with autonomous web research capabilities, making it highly susceptible to indirect prompt injection via incoming emails.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The specific LLMs used are not detailed, though 'open-source AI' is mentioned. The primary threat at this layer is prompt injection (especially indirect prompt injection) embedded in incoming emails or attachments, which could reprogram the model's behavior.
Not certain from the listing — The mechanism for storing and parsing emails, attachments, and web research results is unspecified. Threats include data poisoning of the agent's context or vector database via malicious incoming emails, and potential exfiltration of sensitive email data during web research tasks.
The agent framework orchestrates email summarization, sender research, scheduling, and web search. The primary threat is tool misuse, where an attacker sends an email containing instructions that trick the agent into executing unauthorized actions, such as sending emails, deleting messages, or scheduling malicious meetings.
Not certain from the listing — The hosting environment (cloud vs. self-hosted open-source) is not detailed. Key threats include the insecure storage of highly sensitive email credentials (OAuth tokens/IMAP passwords) and the lack of sandboxing when parsing untrusted email attachments (e.g., PDFs).
Not certain from the listing — There is no mention of evaluation, guardrails, or observability tools. The threat is a lack of detection mechanisms to identify when the agent has been compromised by an indirect prompt injection attack or is leaking sensitive data.
Not certain from the listing — No compliance certifications (e.g., SOC2, GDPR) or identity governance controls are mentioned. The threat is unauthorized access to the agent's administrative interface, which would grant full access to the user's connected email accounts.
Not certain from the listing — While 'open-source AI Agents' are mentioned, the extent of multi-agent collaboration is unclear. Threats include trust abuse if the agent interacts with external calendar or scheduling agents, potentially leading to cascading scheduling conflicts or unauthorized data sharing.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.