Onboarding Agent — agentic threat model
The Onboarding Agent exhibits moderate agentic risk, primarily driven by its multi-agent CrewAI architecture and access to sensitive HR data via RAG. While infrastructure security is robust (Fargate, OAuth2, Firebase), the lack of explicit LLM-specific guardrails poses a risk of prompt injection and data exfiltration.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.70 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Uses GPT-4. Vulnerable to adversarial prompt injection, which could bypass system instructions to leak system prompts or retrieve unauthorized documents. Model misalignment could lead to incorrect HR policy advice.
Utilizes a RAG pipeline with Chroma and GCS, storing structured data in Supabase. Risks include data poisoning of the vector database (injecting malicious onboarding documents) and unauthorized exfiltration of sensitive employee PII.
Orchestrated via CrewAI and FastAPI. Vulnerabilities in CrewAI's tool-calling mechanisms or FastAPI endpoints could allow attackers to manipulate agent execution paths or poison agent memory states.
Deployed on AWS ECS Fargate with ECR and ALB. Fargate provides strong container isolation, reducing host compromise risks, but misconfigured ALB routing or insecure CI/CD pipelines remain potential vectors.
Monitored via AWS CloudWatch. While infrastructure logging is present, there is no mention of LLM-specific evaluation, semantic guardrails, or real-time prompt injection detection, creating an observability blind spot for agent behavior.
Implements Firebase Auth and OAuth2 SSO, providing strong identity controls. However, strict row-level security (RLS) in Supabase must be enforced to prevent horizontal privilege escalation among onboarding employees.
Employs CrewAI, implying internal multi-agent collaboration. Risks include cascading failures if one sub-agent is compromised via prompt injection, leading to trust abuse across the agent crew.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.